Chinese rail company draws scrutiny in US over high-tech subway cars
Monday, May 20, 2019
The US Senate’s top Democrat is calling on the federal government to investigate whether a plan for new subway cars in New York City designed by a Chinese state-owned company could pose a threat to national security.
Senator Charles Schumer of New York said in a statement to The Associated Press on Sunday that he asked the Commerce Department to conduct a “top-to-bottom review” after CRRC, one of the world’s largest train makers, won a design contest for new subway cars that would include “modern train control technology.”
The company hasn’t won a contract in New York City, which has America’s biggest transit system, but it has been awarded contracts in recent years for new subway cars in Los Angeles, Chicago, Boston and Philadelphia.
In announcing the contest winners last year, the Metropolitan Transportation Authority, which operates the subway system, said CRRC had proposed investing US$50 million of its own money to develop the new subway cars. The contest was designed to bring out new ideas for future projects but did not lead to any contracts for new subway cars and the MTA is not currently purchasing any new cars.
But in the last few years, China has pushed to dominate the U.S. rail car market, a multibillion-dollar industry. CRRC is also believed to be pursuing a US$500 million contract with the Washington Metropolitan Area Transit Authority in Washington, D.C.
Security experts and members of Congress have raised the alarm about CRRC because it is owned by the Chinese government, warning of prior cyberthreats and hacking attacks linked to Chinese intelligence officials. They fear allowing the company to install technology in America’s rail system could potentially expose it to cyberespionage and sabotage.
“The MTA has robust, multilayered and vigorously enforced safety and security standards, but we support efforts of government agencies to bolster that work,” spokesman Max Young said.
A spokesman for CRRC Sifang America — the company’s arm in Chicago — said a majority of the components used in its new rail cars come from U.S. companies and said concerns about spying or malware are misplaced. The rail cars meet specific requirements set by the transit agencies, the manufacturer doesn’t control the cyber components it installs and it is “not possible” for the company to implant malware in the system, he said.
“There is no evidence of a passenger railcar manufacturer, including CRRC, installing any type of new technology that could intentionally open passenger railcars to cyberthreats or pose a threat to commuters and national security,” spokesman Dave Smolensky said. “CRRC is eager to address any concerns Senator Schumer has and we welcome an inquiry regarding our U.S. operations.”
Legislation has been introduced in both the House and Senate that, if passed, would prevent federal funds from being used for rail projects involving Chinese companies.
“Given what we know about how cyberwarfare works, and recent attacks that have hit transportation and infrastructure hubs across the country, the Department of Commerce must give the green light and thoroughly check any proposals or work China’s CRRC does on behalf of the New York subway system, including our signals, Wi-Fi and more,” Schumer said the statement to AP.
In 2017, hackers attacked the Sacramento transit system and demanded a ransom in cryptocurrency. The transit agency said at the time that the hackers erased parts of programs on its servers that affect operations like the ability to use computers to dispatch employees and assign buses. In 2016, a ransomware attack on San Francisco’s transit system resulted in officials shutting down ticketing machines, allowing free rides for much of a weekend. And last year, the Colorado Department of Transportation fell victim to a similar attack that essentially froze hundreds of computers.
In the last few years, the U.S. Justice Department has brought several cases alleging hacking by Chinese intelligence officials and targeting Chinese cyberespionage.
“This kind of national security responsibility is just so big, and so complex, that the MTA and other big-city transit systems should not have to foot the burden of going it alone to assess whether or not CRRC’s low bids for work, and current contracts across the country, are part of some larger strategy. We just cannot be too careful here, especially now, amidst these tensions and general cyber threats,” Schumer said.
The Commerce Department did not immediately comment on Sunday.-AP