Can a Chinese Metro car spy on us? Many experts say yes.

Can a Chinese Metro car spy on us? Many experts say yes.


Faiz Siddiqui Local reporter on the DC Metro, Uber and Lyft, and transit-oriented tech start-ups January 7 at 4:45 PM. The warnings sound like the plot of a Hollywood spy thriller: the Chinese hide malware in the safety of a Metro rail car camera system that allows Pentagon or White House guards to be tracked while driving the Blue Line – sending images back to Beijing. Or sensors on the train secretly record the interviews of the officials. Or a mistake in the software that controls the train – introduced during the production process – makes it possible that it is hacked by foreign agents or terrorists to cause a crash. Congress, the Pentagon and experts from the industry have taken the warnings seriously, and now Metro will do the same. The transit agency recently decided to add cyber security safeguards to specifications for a contract that it will award later this year for its next generation of trainsets after warnings that the Chinese rail car manufacturer could win the deal by undermining other bidders. The switch from Metro to changing its bid specifications after they were issued stems from the urge of China to dominate the millions of American rail transport markets. The state-owned China Railway Rolling Stock Corp., or CRRC, has used price offers since 2014 to win four of the five major US train services for rail transport. The company is expected to be a strong contender for a Metro contract that is likely to exceed $ 1 billion for between 256 and 800 of the agency's latest series of railway cars. The success of CRRC has raised concerns about China's national security and growing footprint in the industrial supply chain and infrastructure in the United States. "This is part of a larger conversation about this country and China and industry dominance," said Robert J. Puentes, president of the Eno Center for Transportation. "We do not want to get caught up in a xenophobic conversation … but we do not want to be naïve either." [Metro cybersecurity audit highlights growing concerns at agencies across the country.] No American company makes subway lines, so China competes on that market against companies from Asia, Europe and Canada. But American companies are building freight rail cars, such as boxcars and tankers, and they fear that China will approach them next. That could cost US manufacturing jobs. It can also increase the risk of a cyber attack that paralyzes domestic rail transport during a military confrontation or other national emergency situations. "China's attack on our rail system is treacherous and genius," retired Army Brig. General John Adams wrote in an October report that was distributed by the Rail Security Alliance, an American industry group. "We need to maintain know-how and technology … protection against disruption of this strategically vital sector of our economy." China does not hide its desire to dominate the global rail car industry. The economic strategy "Made in China 2025" proposes to gain competitive advantage in that sector, among others. Both the US Senate and the House have attempted to block further Chinese penetration of the transit vehicle market. Each Chamber has inserted the language into the annual accounts for transport credits to prohibit for a year a new purchase of train wagons or buses for the public transport of companies owned by Chinese companies, if the purchase uses federal financing. The ban is not yet a law, since the last action has been postponed until this year. [Trump administration to condemn China over hacking and economic espionage, escalating tensions between superpowers.] Sen. John Cornyn (R-Tex.) Sponsored the prohibition of the Senate. His spokesperson said it reflected his concerns about market-distorting practices in China and their entire government effort. . . to dominate industries that are sensitive to our national security. "Texas is the home of Trinity Industries, a leading American rail car company, and a ban on purchases from China can put financial pressure on transit systems such as Metro, which may want to take advantage of the low CRRC prices." Critics have said the company is capable of prohibit competitors for government subsidies CRRC has not responded to emails asking for comment Rep. Gerald E. Connolly (D-Va.) Metro said that it should be prepared to pay extra if necessary. not worth compromising security in the country's capital, "Connolly said." If there are valid security concerns about buying trains from a Chinese state-owned company, find another option. "New requirement When choosing the winner of the contract Metro is legally obliged to follow the guidelines set out in a long request for proposals, or RFP, which issued it in September and now will review to include the cybersecurity safeguards. The changes are expected to allow the winning bidder to have the hardware and software certified as safe by a third party approved by the federal government. "We are currently working on an adapted language that requires certain security guarantees," said Kyle Malo, Metro's key information security officer. He refused to regard China as a threat, but remarked: "There are countries that are much more aggressive with cyber attacks than others." [San Francisco’s light-rail system was held hostage by hackers.] The bids for the Metro contract are scheduled for 4 April. The original deadline, at the end of January, was extended because Metro received more than 300 questions from potential bidders. Metro decided to revise the RFP after questions were raised by board member David Horner, who represents the federal government and is a former US assistant secretary of transport. "My concern is that state-sponsored companies can serve as a platform for performing cyber espionage against the United States," Horner said. "These risks are not widely understood today, but their meaning soon becomes clear." Horner's concerns were reinforced in a November 16 blog by Andrew Grotto, a former senior cyber security policy director at the National Security Council. It warned that Metro RFP did not allow the transit agency to reject a bid due to cyber security concerns. "The risk of espionage is uniquely high in our nation's capital," said Grotto, now fellow at Stanford University's Center for International Security and Cooperation, in an e-mail. "Malware can redirect data collected from the high definition security cameras." An opponent with that data could then use facial recognition algorithms to track riders, possibly up to the homeworking patterns of individual riders. "The Pentagon is also worried that China could use infrastructure such as rail cars for espionage. It pointed to recent charges in the US about the massive Beijing-backed hacking of trade secrets as evidence of the country's bad practices. "As illustrated by the Ministry of Justice's charge of December 20 against the Chinese Ministry of State Security, the use of predatory economic practices by the Chinese Communist Party, such as illegally state-sponsored cybertheft, raises concerns about Chinese companies that play a role. in critical infrastructure – whether it's railroad cars or 5G telecommunications networks, "said Air Force Lieutenant Colonel Mike Andrews, spokesman for the Ministry of Defense. China has previously been accused of embedding espionage technology into its products. In May, the Pentagon sent service members to military bases to stop using phones made by the Chinese companies ZTE and Huawei due to security risks. In 2017, the Department of Homeland Security discovered that Chinese video cameras that were used on US military installations in Afghanistan had a "back door". that allowed images to be taken outside, the Wall Street Journal reported. City contracts The first major success of CRRC on the American metro market came in 2014 when it won a contract for building rail cars for the Boston transit authority. In 2016, agreements were concluded with systems in Chicago, Los Angeles and Philadelphia. Agencies said the CRRC had the most competitive bids – sometimes it gave hundreds of millions of dollars to competitors. Since then, officials in some cities have complained that their train station costs may rise due to a 25 per cent rate on China-made railroad components imposed by the Trump government as part of its trade dispute with Beijing. Such rates may be lifted if the ongoing US-Chinese trade negotiations are successful. The four transit systems said that they have taken significant steps to ensure that their wagons are not equipped with spyware or other suspicious technology. Critics wondered whether the guarantees were sufficient. Brian Steele, a spokesman for the Chicago Transit Authority, said the agency received bids from CRRC and Bombardier in Canada in 2016 for the construction of 846 trains, along with a $ 40 million final assembly facility in Chicago that created 170 jobs. "The biggest difference in the two proposals was the cost," Steele said. He said that CRRC's bid of $ 1.3 billion was $ 226 million lower than Bombardier's offering, a difference that corresponds to 146 more wagons. Steele said that the computer or software components of the train wagons will not be made by a Chinese company. He said that American and Canadian companies supply the Ethernet and router components of the car, while the "automatic train control system" is provided by a company in Pennsylvania. The Massachusetts Bay Transportation Authority has awarded more than $ 840 million for the construction of 404 new subways at the CRRC plant in Springfield, Mass. That plant, a facility of $ 95 million, comes with 150 jobs, according to media reports. CRRC won the first prize with a bid of $ 567 million, which was $ 154 million lower than the closest competitor, according to an Eno report. An MBTA spokesman said that none of the software components of the new vehicles are produced in China. "The MBTA has robust controls to maintain the security of the system," spokesperson Joe Pesaturo said in an e-mail. Pesaturo said that MBTA's design process for new trainsets includes a cyber security analysis based on a security standard from the US Department of Defense. Grotto, the former official of the National Security Council, said that the security measures described by the transit agencies were "appropriate", but voiced concerns about how they would be implemented. "Who is responsible and responsible for seeing these results? How do monitoring and auditing work?" Said Grotto. Erik Olson, vice president of the Rail Security Alliance, called insurance "excessively simplistic and potentially naive." "Do we really want our municipal transit agencies to take this kind of cyber risk, knowing that China is some of the most advanced facial recognition technology, was responsible for hacks in our critical infrastructure and has a plan to decimate many of our industries by 2025? ", Olson said in an e-mail.