The Washington PostDemocracy Dies in Darkness

Senators urge Metro to guard against Chinese spying in new subway cars

Passengers wait for trains along the Red Line at  Cleveland Park station Nov. 29, 2018.
Passengers wait for trains along the Red Line at Cleveland Park station Nov. 29, 2018. (Katherine Frey/The Washington Post)
Placeholder while article actions load

U.S. senators representing the Washington region want Metro to take stronger steps to guard against the risk that buying subway cars from China would allow Beijing to use the vehicles to conduct electronic spying on the nation’s capital.

In a letter to Metro General Manager Paul J. Wiedefeld, the lawmakers say the transit agency should get approval from the Defense Department, Department of Homeland Security and Transportation Department before awarding the contract for its next-generation rail cars to a foreign adversary.

The letter adds pressure on Metro to take more extensive precautions than it has done so far in light of the possibility that the state-owned China Railway Rolling Stock Corp. (CRRC) could win the deal to build up to 800 of Metro’s 8000-series rail cars.

CRRC has used low bids to win four of five large U.S. transit rail car contracts awarded since 2014. The company — which critics say benefits from state subsidies — is expected to be a strong contender for the Metro contract, which is likely to be worth more than $1 billion.

Could a Chinese-made Metro car spy on us? Many experts say yes.

Some analysts say resistance to CRRC in Congress, the Pentagon and the U.S. rail-car industry may force Metro to award the contract to a different company. Doing so would probably lead to legal challenges and cost Metro hundreds of millions of dollars, given CRRC’s bargain prices. No U.S. company makes subway cars, so China competes in that market against companies from Asia, Europe and Canada.

The letter, delivered Friday, was signed by Sens. Mark R. Warner (D) and Tim Kaine (D) of Virginia, and Ben Cardin (D) and Chris Van Hollen (D) of Maryland. Warner is vice chairman of the Senate Intelligence Committee.

Metro’s response was mixed. Wiedefeld issued a brief statement saying the agency was strengthening its protections against cyberespionage, while Metro Board Chairman Jack Evans criticized the senators.

“If indeed the federal government wants us to buy from other vendors at a higher cost, then they need to subsidize the difference,” Evans said. He faulted the federal government for failing to pay part of Metro’s operating costs, when federal workers make up an estimated 40 percent of Metro’s rush-hour ridership.

“I note that the federal government still pays zero, nothing, for Metro on the operating side,” Evans said. “I would instruct the four senators to focus their efforts on getting federal funding for Metro.”

The senators’ letter did not mention China by name, but it was unmistakably aimed at Beijing. The draft of an accompanying news release said the missive aired “safety and security concerns” regarding the possibility that the contract would go “to a Chinese manufacturing company.”

The news release also referred to a Jan. 7 front-page story in The Washington Post reporting concerns that China could install malware in the subway cars’ electronic systems to conduct video surveillance, monitor conversations or cause a crash.

Metro cybersecurity audit highlights growing concerns at agencies across the country.

The Washington region’s senators aren’t the only ones uneasy about the Metro contract. On Jan. 11, Sens. Mike Crapo (R-Idaho) and Sherrod Brown (D-Ohio) wrote Wiedefeld expressing “deep concerns” about CRRC’s efforts “to displace rail manufacturers in the United States.” Crapo and Brown are, respectively, the chairman and ranking Democrat on the Senate Committee on Banking, Housing and Urban Affairs, which oversees public transportation.

The apprehensions arise partly from broader disquiet over charges of Chinese, state-sponsored cybertheft of business secrets and hacking of critical U.S. infrastructure such as telecommunications networks.

The local senators’ letter said technologies in the rail cars that are vulnerable to “hacking or other forms of interference” include “automatic train control; network and trainline control; video surveillance; monitoring and diagnostics; and data interface with [Metro].”

It asked several questions aimed at pressing Metro to take precautionary measures, including: “Will Metro consult with the Department of Defense prior to awarding a contract to confirm whether the Department would permit railcars built by certain foreign governments to operate through the Pentagon?” and “Will Metro . . . seek the concurrence of USDOT and DHS in its cybersecurity evaluations before making any final contract award?”

Wiedefeld said Metro would respond directly to the senators as soon as possible.

“We recognize the important national security concerns being raised, and we are working to strengthen this procurement and others with new cybersecurity requirements,” Wiedefeld said. “While we have a fiduciary responsibility with all procurements, safety and security is always our first priority.”

In picking the winner of the 8000-series contract, Metro is legally required to follow guidelines it set in a lengthy request for proposals (RFP) it issued in September. The agency said in December that it would revise the specifications in the RFP in light of worries about CRRC. Bids are due April 4.

Metro acted to strengthen its cybersecurity program in the fall by hiring Kyle Malo, a former head of information security at the FBI, as its chief information security officer.

A Japanese company, Kawasaki, is building Metro’s latest series rail car, the 7000 series. But Evans and others said Kawasaki is so busy with a new contract with the New York transit system that it is unlikely to compete aggressively, if at all, for the 8000-series cars.

“It is my understanding that Kawasaki might not be able to bid, leaving us with fewer options,” Evans said.

Other Metro board members had differing reactions to the senators’ letter.

David Horner, who represents the federal government, said he hoped Metro would go further than the senators asked by reviewing whether bidders received financial subsidies “from a non-allied government.” Horner has been airing concerns about CRRC since the fall.

“When procuring critical infrastructure, it is necessary for authorities to understand the extent to which proposers act as the alter egos of our country’s rivals,” Horner said.

Board member Michael Goldman was concerned that Metro was being unfairly singled out given that CRRC already has contracts with transit agencies in Boston, Chicago, Los Angeles and Philadelphia. He noted that CRRC has built manufacturing plants in the United States to assemble subway cars, although many of the components are made in China.

“This is a broader national issue,” said Goldman, who represents Maryland. “What’s needed is some broad guidance from the federal government as to what the nature of the problem is, and how transport properties can take steps to protect their infrastructure against cybersecurity intrusions.”

CRRC has not responded to emails requesting comment. However, a Jan. 13 article in the Chinese publication Global Times, which reflects the views of the Beijing government, quoted “a Chinese railway expert” as saying concerns about espionage “are groundless and could delay progress in US rail transportation.”

Faiz Siddiqui contributed to this story.