The warnings sound like the plot of a Hollywood spy thriller: The Chinese hide malware in a Metro rail car’s security camera system that allows surveillance of Pentagon or White House officials as they ride the Blue Line — sending images back to Beijing.
Or sensors on the train secretly record the officials’ conversations. Or a flaw in the software that controls the train — inserted during the manufacturing process — allows it to be hacked by foreign agents or terrorists to cause a crash.
Congress, the Pentagon and industry experts have taken the warnings seriously, and now Metro will do the same. The transit agency recently decided to add cybersecurity safeguards to specifications for a contract it will award later this year for its next-generation rail cars following warnings that China’s state-owned rail car manufacturer could win the deal by undercutting other bidders.
Metro’s move to modify its bid specifications after they had been issued comes amid China’s push to dominate the multibillion-dollar U.S. transit rail car market. The state-owned China Railway Rolling Stock Corp., or CRRC, has used bargain prices to win four of five large U.S. transit rail car contracts awarded since 2014. The company is expected to be a strong contender for a Metro contract likely to exceed $1 billion for between 256 and 800 of the agency’s newest series of rail cars.
CRRC’s success has raised concerns about national security and China’s growing footprint in the U.S. industrial supply chain and infrastructure.
“This is part of a larger conversation about this country and China, and domination of industries,” said Robert J. Puentes, president of the Eno Center for Transportation. “We don’t want to get trapped into a xenophobic conversation . . . but we also don’t want to be naive.”
No U.S. company makes subway cars, so China competes in that market against companies from Asia, Europe and Canada. But U.S. companies build freight rail cars, such as boxcars and tank cars, and they fear China will target them next.
That could cost U.S. manufacturing jobs. It also could increase the risk of a cyberattack that cripples domestic rail transportation in a military confrontation or other national emergency.
“China’s attack on our rail system is insidious and ingenious,” retired Army Brig. Gen. John Adams wrote in an October report distributed by the Rail Security Alliance, a U.S. industry group. “We must retain the know-how and technology to . . . safeguard against disruption of this strategically vital sector of our economy.”
China makes no secret of its desire to dominate the global rail car industry. Its “Made in China 2025” economic strategy proposes to seek competitive advantage in that sector, among others.
Both the U.S. Senate and House have sought to block further Chinese penetration of the transit vehicle market. Each chamber has inserted language in annual transportation appropriations bills to impose a one-year ban on new purchases of mass transit rail cars or buses from Chinese-owned companies if the procurement uses federal funding. The ban is not yet law, as final action has been put off until this year.
Sen. John Cornyn (R-Tex.) sponsored the Senate ban. His spokeswoman said it reflected his “concern over China’s market distorting practices and their whole government effort . . . to dominate industries sensitive to our national security.” Texas is home to Trinity Industries, a leading U.S. rail car company.
A ban on purchases from China could penalize financially pressed transit systems such as Metro, which may want to take advantage of CRRC’s low prices. Critics have said the company is able to underbid competitors because of state subsidies. CRRC did not respond to emails requesting comment.
Rep. Gerald E. Connolly (D-Va.) said Metro should be willing to pay extra if necessary.
“Saving a buck isn’t worth compromising security in the nation’s capital,” Connolly said. “If there are valid security concerns about sourcing rail cars from a Chinese state-owned company, then find another option.”
In picking the winner of the contract, Metro is legally required to follow guidelines it set in a lengthy request for proposals, or RFP, which it issued in September and will now revise to include the cybersecurity safeguards. The changes are expected to require the winning bidder get its hardware and software certified as safe by a third-party vendor cleared by the federal government.
“We are working on amended language right now that will require certain security assurances,” said Kyle Malo, Metro’s chief information security officer. He declined to single out China as a threat but noted, “There are countries that are far more aggressive with cyberattacks than others.”
Bids for the Metro contract are due April 4. The original deadline, in late January, was extended because Metro received more than 300 questions from potential bidders.
Metro decided to revise the RFP after questions were raised by board member David Horner, who represents the federal government and is a former U.S. deputy assistant secretary of transportation.
“My concern is that state-sponsored enterprises can serve as platforms for conducting cyberespionage against the United States,” Horner said. “These risks are today not widely understood, but their significance is becoming apparent very quickly.”
Horner’s concerns were reinforced in a Nov. 16 online article by Andrew Grotto, a former senior director for cybersecurity policy on the National Security Council. It warned that Metro’s RFP did not allow the transit agency to reject a bid because of cybersecurity worries.
“The risk of espionage is uniquely high in our nation’s capital,” Grotto, now a fellow at Stanford University’s Center for International Security and Cooperation, said in an email. “Malware could divert data collected from the high definition security cameras. An adversary with that data could then use facial recognition algorithms to track riders, potentially right down to the commuting patterns of individual riders.”
The Pentagon also is concerned China could use infrastructure such as rail cars for spying. It pointed to recent U.S. charges of the massive, Beijing-backed hacking of business secrets as evidence of the country’s bad practices.
“As illustrated by the Dec. 20 Department of Justice indictment against the Chinese Ministry of State Security, the Chinese Communist Party’s use of predatory economic practices like illegal state-sponsored cybertheft reinforce concerns about Chinese companies playing a role in critical infrastructure — whether it be rail cars or 5G telecommunications networks,” said Air Force Lt. Col. Mike Andrews, a Defense Department spokesman.
China has previously been accused of embedding spying technology in its products. In May, the Pentagon directed service members on military bases to stop using phones made by the Chinese companies ZTE and Huawei because of security risks. In 2017, the Department of Homeland Security found that some Chinese made security cameras had a “back door” loophole that left them vulnerable to hackers. The Wall Street Journal reported that that company’s cameras have been used at a U.S. Army base in Missouri and the U.S. embassy in Afghanistan.
CRRC’s first big success in the U.S. subway market came in 2014, when it won a contract to build rail cars for the Boston transit authority. In 2016, it landed deals with systems in Chicago, Los Angeles and Philadelphia.
Agencies said CRRC had the most competitive bids — sometimes besting competitors by hundreds of millions of dollars. Since then, officials in some cities have complained their rail car costs may rise because of a 25 percent tariff on Chinese-made rail car components imposed by the Trump administration as part of its trade conflict with Beijing. Such tariffs could be removed if current U.S.-Chinese trade talks are successful.
The four transit systems said they have taken significant steps to ensure their rail cars are not outfitted with spyware or other suspicious technology. Critics questioned whether the safeguards were adequate.
Brian Steele, a spokesman for the Chicago Transit Authority, said the agency received bids from CRRC and Canada-based Bombardier for the construction of 846 rail cars in 2016, along with a $40 million final-assembly facility in Chicago creating 170 jobs.
“The biggest difference in the two proposals was cost,” Steele said. He said CRRC’s $1.3 billion bid was $226 million lower than Bombardier’s offer, a difference equivalent to 146 more rail cars.
Steele said none of the rail cars’ computer or software components will be made by a Chinese firm. He said U.S. and Canadian companies are supplying the car’s Ethernet and router components, while the “automatic train control” system will be supplied by a Pennsylvania firm.
The Massachusetts Bay Transportation Authority has awarded more than $840 million for the construction of 404 new subway cars at CRRC’s manufacturing plant in Springfield, Mass. That plant, a $95 million facility, comes with 150 jobs, according to media reports. CRRC won the initial award with a $567 million bid, which was $154 million lower than the nearest competitor, according to an Eno report.
An MBTA spokesman said none of the new vehicles’ software components are being produced in China.
“The MBTA has robust controls in place to maintain the security of the system,” spokesman Joe Pesaturo said in an email.
Pesaturo said MBTA’s design process for new rail cars includes a cybersecurity analysis based on a U.S. Department of Defense military system safety standard.
Grotto, the former National Security Council official, said the security measures described by the transit agencies were “appropriate” but expressed concern about how they would be implemented.
“Who is responsible and held accountable for seeing these results through? How will monitoring and auditing work?” Grotto said.
Erik Olson, vice president of the Rail Security Alliance, called the assurances “overly simplistic and potentially naive.”
“Do we really want our municipal transit agencies to take these kinds of cyber-risks, knowing that China has deployed some of the most advanced facial recognition technology, has been responsible for hacks into our critical infrastructure, and has laid out a plan to decimate many of our industries by 2025?” Olson said in an email.
This story has been updated.