US Senators fear Chinese-made metro rail cars could be used for surveillance

US Senators want Washington Metro to block a Chinese state-owned company from providing subway cars.

Washington Metro

Four US Senators have sent a letter to the Washington Metropolitan Area Transit Authority (WMATA or Metro) to persuade the agency into blocking a Chinese company from bidding on a contract to provide passenger rail cars for a new metro line in the US' capital.

The Senators fear that the Chinese-made rail cars will include backdoors and other mechanisms that will allow the Chinese government to spy on US citizens in its capital, and even sabotage local transportation if ever needed.

The Senators group includes Sen. Mark R. Warner (D-VA), Sen. Tim Kaine (D-VA), Sen. Ben Cardin (D-MD), and Sen. Chris Van Hollen (D-MD).

The four sent their letter last Friday to WMATA CEO Paul J. Wiedefeld after the Washington Post published a report at the start of the year about the possibility of state-owned China Railway Rolling Stock Corp. (CRRC) winning the Washington metro rail car contract --worth around $1 billion for providing up to 800 rail cars.

According to the Post's report, CRRC "has used bargain prices to win four of five large U.S. transit rail car contracts awarded since 2014."

"In the transportation sector, there has been increased interest from particular foreign governments to participate in state and local procurements, including those to manufacture and assemble rail cars for transit agencies around the country," the Senators wrote in an open letter sent to the WMATA CEO.

"While other cities have welcomed this kind of investment, we have serious concerns about similar activity happening here in our nation's capital, particularly when it could involve foreign governments that have explicitly sought to undermine our country's economic competitiveness and national security."

But besides the economic damage of a Chinese company winning a contract instead of a US-based supplier, experts cited in the Post's report have also raised questions about the cyber-security of the rail cars that the CRRC will supply.

According to WMATA's procurement process, the agency's looking for smart rail cars that would include systems to ensure automatic train control, network and trainline control, video surveillance, monitoring and diagnostics, and a data interface with WMATA.

The Senators fear these systems could be abused to allow a foreign spy, terrorist, or other threat actor to break in and take control of WMATA's systems to conduct foreign espionage or disrupt rail car lines across the city.

The Senators group would like WMATA to amend its procurement rules to include "Buy America" or other similar clauses that would ensure companies owned by foreign governments wouldn't be able to bid on the contract.

The Senators posed a series of questions regarding Metro's plans for the rail car procurement process, including:

  1. While we are aware that nearly all passenger railcar manufacturers in the United States are foreign-owned, what steps is WMATA taking to ascertain and mitigate against the involvement of foreign governments in this procurement?
  2. Has Metro received briefings from the Department of Homeland Security or related agencies on the attempts of foreign adversaries to infiltrate our critical infrastructure and the significant cyber vulnerabilities that can stem from them doing so?
  3. Will Metro take a company's ties to foreign governments with a record of industrial and cyber espionage into account when evaluating bids, particularly if such company is a state-owned enterprise?
  4. If so, will Metro allow sensitive component parts of these railcars to be sourced from such countries?
  5. Will Metro consult with the Department of Defense prior to awarding a contract to confirm whether the Department would permit railcars built by certain foreign governments to operate through the Pentagon?
  6. We understand that Metro has announced that the RFP will be amended to include baseline cybersecurity protocols. Please provide information about these protocols and how they are being developed. How will Metro evaluate bidder responses to this forthcoming cybersecurity addendum? Will Metro review these responses with the Department of Transportation (USDOT) and the Department of Homeland Security, and seek the concurrence of USDOT and DHS in its cybersecurity evaluations before making any final contract award in this procurement? What specific requirements will the addendum include to ensure that any communications technology included in the rail car procurement is protected from being exploited for surveillance purposes?

The fears expressed by the four Senators come after the US has been mulling imposing a country-wide ban on US companies from buying and using any telecommunications equipment made by China's Huawei and ZTE, on similar fears that the Chinese government might be using the equipment sold by the two companies to spy on the US.

More security coverage: