Chinese-made cargo equipment enables cyber, espionage risks in US ports, congressional probe finds
China’s embassy in D.C. denied the findings and accused the U.S. of exacerbating supply chain security risks.
A year-long probe led by GOP members of two House panels found that numerous seaports around the U.S. contain technology originating from Chinese manufacturers that could enable espionage and sabotage.
The study conducted by lawmakers and staff on the House Homeland Security Committee and Select Committee on the Chinese Communist Party said that it was an “open secret” around port operators that Chinese crane manufacturer Shanghai Zhenhua Heavy Industries Company Limited — or ZPMC — would “pressure” them to provide remote access into the system on grounds that it can help with equipment monitoring and diagnostics.
The company’s partnership with ABB, a Swiss multinational engineering firm that has secured contracts with several U.S. defense and intelligence agencies, helps exacerbate those risks, it adds.
“In speaking with industry and security stakeholders, the Committees found that pushing back on ZPMC demands — including allowing for remote access — is difficult for customers who are looking to get the lowest price or guarantee a robust warranty policy,” said the report.
The purported monitoring activity was linked to modems in the crane equipment, which could apparently enable a covert method to gather data, evade firewalls and interfere with port activities. Technicians at the ports were aware of these modems and believed them to be used for diagnostic purposes, but the modems themselves were not part of any existing contract, and the ports declined the mobile diagnostic services at the time of purchasing the cranes, added the report.
ZPMC and ABB did not respond to requests for comment by publishing time. ZPMC, in a letter to the committees, denied any module installation activities, said the findings.
“We firmly oppose the U.S. overstretching the concept of national security and abusing state power to go after Chinese products and companies,” said Chinese embassy spokesperson Liu Pengyu. “Weaponizing economic and trade issues will exacerbate security risks in global industrial and supply chains and inevitably backfire. The U.S. needs to respect the principles of market economy and fair competition, and provide a fair, just and non-discriminatory environment for Chinese companies.”
“China will continue to firmly protect the legitimate and lawful rights and interests of Chinese companies,” Pengyu added.
ZPMC, as stated in the report, initially corresponded with congressional committees earlier this year but later informed the panels that it couldn’t deliver written answers without prior approval from the Chinese government. A U.S. law firm representing the company later replied, clarifying that Chinese law requires Beijing’s permission to directly respond to the committees.
ABB requested that the committees partner with them to identify specific concerns that could be mitigated to better address the panel’s concerns, said the report. The company’s initial submission contained hundreds of pages publicly accessible from their website, but these documents did not directly respond to the committees’ questions, the findings said.
“After meeting multiple times with ABB, the Committees documented substantial stalling techniques,” the report says. “ABB claimed that they were undergoing a review of the concerns and wanted to help in any way they could. ABB conveyed multiple times that they do not share any software or code with the PRC and have somehow ‘found a way’ to circumvent PRC national security laws that mandate source-code sharing in order to do business in China,” the committees said.
President Joe Biden in February signed an executive order that emboldened the U.S. Coast Guard to respond to cyber threats on the sea. It earmarked $20 billion toward port infrastructure over the next five years and also required seafaring vessels and their port facilities to shore up cyber defenses and comply with mandatory cybersecurity incident reporting rules.
Over 200 Chinese-made cranes have been detected across U.S. ports and related maritime facilities, and about half of those had been assessed for cybersecurity threats, Rear Adm. John Vann, who heads the Coast Guard’s Cyber Command, said at the time of the executive announcement.
The U.S. does not formally categorize maritime systems as its own critical infrastructure sector. Maritime operations are lodged under transportation networks as an official critical infrastructure designation that also includes railways and aviation systems.