Could a subway car built in China spy on us? Many experts say yes. –


Faiz Siddiqui Local reporter covering DC Metro, Uber and Lyft, and transit-oriented technology start-ups January 7 at 4:45 pm Warnings sound like the plot of a Hollywood spy thriller: Chinese people hide malware in the safety of a railway wagon system of cameras that allows the surveillance of Pentagon or White House officials as they travel the blue line, sending images to Beijing. Or the sensors on the train secretly record the conversations of the officials. Or a flaw in the software that controls the train – inserted during the manufacturing process – allows it to be hacked by foreign agents or terrorists to cause a crash. The Congress, the Pentagon and industry experts have taken the warnings seriously, and now Metro will do the same. The transit agency has recently decided to add the computer security safeguards to the specifications for a contract that will be awarded by the end of the year for its new generation rail cars, after warning that the car manufacturer Chinese state could win the business by weakening other bidders. Metro's move to change its bid specifications after they were issued is among China's drive to dominate the multi-billion dollar transit market. The state-owned China Railway Rolling Stock Corp., or CRRC, has used favorable prices to win four of the five major US rail transport contracts awarded since 2014. The company is expected to be a strong competitor for a Metro contract that will exceed $ 1 billion between 256 and 800 of the most recent series of railway wagons of the Agency. The success of CRRC has raised national security concerns and China's growing footprint in the US supply chain and industrial infrastructure. "This is part of a broader conversation about this country and about China and industry domination," said Robert J. Puentes, president of the Eno Center for Transportation. "We do not want to be trapped in a xenophobic conversation … but we also do not want to be naive". [Metro cybersecurity audit highlights growing concerns at agencies across the country.] No US company produces subway cars, so China competes in that market against companies from Asia, Europe and Canada. But US companies build rail cars, like freight wagons and tank cars, and they fear China will target them in the future. This could cost jobs in the United States. It could also increase the risk of a cyber attack that paralyzes national rail transport in a military confrontation or other national emergencies. "China's attack on our rail system is insidious and ingenious," retired Army Brig. The gen. John Adams wrote in an October report released by the Rail Security Alliance, an American industrial group. "We need to maintain know-how and technology for … the safeguard against the breakdown of this strategically vital sector of our economy". China makes no secret of its desire to dominate the global rail sector. Its "Made in China 2025" economic strategy proposes to look for competitive advantages in that sector, among others. Both the Senate and the United States House have sought to further halt the Chinese penetration of the transit vehicle market. Each room has entered the language into annual transportation appropriations bills to impose a one-year ban on new purchases of wagons or public transport buses from Chinese-owned companies if the procurement uses federal funding. The ban is not yet law, as the final action has been postponed to this year. [Trump administration to condemn China over hacking and economic espionage, escalating tensions between superpowers.] Senator John Cornyn (R-Tex.) Sponsored the Senate ban. His spokesperson said he reflects his "concern over the distorting practices of the Chinese market and their entire government effort … dominate industries sensitive to our national security." Texas is home to Trinity Industries, one of the leading companies United States in the field of railway wagons. A purchase ban from China could penalize financial transit systems such as Metro, which may wish to take advantage of the low CRRC prices. Critics have said that the company is able to underwrite its competitors due to state subsidies. CRRC did not respond to e-mails requesting comments. Representative Gerald E. Connolly (D-Va.) He said Metro should be willing to pay extra if necessary. "Saving a dollar is not worth compromising security in the nation's capital," Connolly said. "If there are any major safety concerns about the supply of railway carriages from a Chinese state company, then we find another option." New requirement In choosing the winner of the contract, Metro is legally obliged to follow the guidelines established in a long request for proposals, or RFP, which issued in September and which will now be revised to include cybersecurity security measures. The changes are expected to require that the winning bidder obtain hardware and software certification as secure from a third-party vendor authorized by the federal government. "At the moment we are working on a modified language that will require certain security guarantees," said Kyle Malo, Metro Information Security Manager. He refused to identify China as a threat, but noted: "There are countries that are much more aggressive with cyber attacks than others." [San Francisco’s light-rail system was held hostage by hackers.] The offers for the Metro contract are scheduled for April 4th. The original term, at the end of January, was extended because Metro received more than 300 applications from potential bidders. Metro decided to revise the visa application after questions were raised by board member David Horner, who represents the federal government and is a former US Deputy Secretary of Transportation. "My concern is that state-sponsored businesses can serve as platforms to conduct cyberespionage against the United States," said Horner. "These risks are not widely understood today, but their significance is becoming evident very quickly." Horner's concerns were reinforced in a November 16 blog post by Andrew Grotto, a former senior security policy executive at the National Security Council. He warned that Metro RFP did not allow the transit agency to refuse an offer due to IT security concerns. "The risk of espionage is exceptionally high in our nation's capital," said Grotto, now a colleague from the Center for International Security and Cooperation at Stanford University, in an email. "Malware could divert data collected from high-definition security cameras, and an adversary with that data could then use facial recognition algorithms to track riders, potentially up to individual pilots' commuting patterns." The Pentagon is also concerned that China can use infrastructure like railway cars for spying. He highlighted recent US positions on the enormous hacking of trade secrets supported by Beijing as evidence of the country's bad practices. "As illustrated by the December 20 Justice Department's charge against the Chinese State Ministry of Security, the Chinese Communist Party's use of predatory economic practices such as state-sponsored illegal cybertheft reinforces concerns over Chinese companies that play a role in critical infrastructure, railway wagons or 5G telecommunications networks, "said Lieutenant Colonel of the Air Force Mike Andrews, spokesman for the Department of Defense. China has previously been accused of incorporating espionage technology into its products. In May, the Pentagon directed members of the military bases service to stop using phones produced by ZTE and Huawei companies due to security risks. In 2017, the National Security Department found that the Chinese-made cameras used in US military installations in Afghanistan had a "back door" that allowed images to be directed to strangers, as reported by the Wall Street Journal. City contracts The first major success of CRRC in the US metro market came in 2014, when it won a contract for the construction of railway wagons for the Boston transit authority. In 2016, he did business with the Chicago, Los Angeles and Philadelphia systems. The agencies claimed that CRRC received the most competitive offers, sometimes improving the competitors by hundreds of millions of dollars. Since then, officials in some cities have complained that the costs of their train carriages could increase due to a 25 percent tariff on the components of the Chinese rail cars imposed by the Trump administration as part of its trade conflict. with Beijing. These tariffs could be removed if current trade talks between China and the United States are successful. The four transit systems claimed to have taken significant steps to ensure that their rail cars are not equipped with spyware or other suspicious technology. Critics questioned whether security measures were adequate. Brian Steele, a spokesperson for the Chicago Transit Authority, said the agency has received offers from CRRC and Bombardier based in Canada for the construction of 846 rail cars in 2016, along with a final assembly plant of $ 40 million in Chicago, creating 170 jobs. "The biggest difference between the two proposals was cost," said Steele. He said the $ 1.3 billion CRRC bid was $ 226 million lower than the Bombardier offering, a difference equivalent to 146 other rail cars. Steele said that none of the computer or software components of railway carriages will be produced by a Chinese company. He said US and Canadian companies are supplying the car's Ethernet and router components, while the "automated train control" system will be provided by a Pennsylvania company. The Massachusetts Bay Transportation Authority awarded over $ 840 million for the construction of 404 new subway cars at the CRRC production facility in Springfield, Massachusetts. That facility, a $ 95 million facility, provides 150 jobs, according to media reports. The CRRC won the first prize with an offer of 567 million dollars, or 154 million dollars less than the nearest competitor, according to an Eno report. An MBTA spokesman said none of the software components of the new vehicles are produced in China. "The MBTA has robust controls to maintain system security," spokesman Joe Pesaturo said in an e-mail. Pesaturo said that the MBTA design process for the new railway wagons includes a computer security analysis based on the security standard of the US Department of Defense military system. Grotto, the former National Security Council official, said that the security measures described by the transit agencies were "appropriate" but expressed concern about how they would be implemented. "Who is responsible and held responsible for seeing these results through? How will monitoring and auditing work?" Grotto said. Erik Olson, vice president of Rail Security Alliance, has defined "overly simplistic and potentially naive" insurance. "We really want municipal transport agencies to adopt this kind of cyber risks, knowing that China has deployed some of the most advanced facial recognition technology, has been responsible for hacks in our critical infrastructure and has defined a plan to decimate many of the our sectors by 2025? ", Olson said in an e-mail.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.