The government must investigate if purchasing subway cars from a Chinese state-owned company would jeopardize national security, according to Senate Minority Leader Chuck Schumer.
The New York Democrat is urging the Commerce Department to launch an investigation examining whether the state-owned China Railway Rolling Stock Corp. could pose cybersecurity and hacking threats as the company works with New York’s Metropolitan Transportation Authority and other major urban transit systems.
“This kind of national security responsibility is just so big and so complex that the MTA and other big city transit systems should not have to foot the burden of going it alone to assess whether or not CRRC’s low bids for work, and current contracts across the country, are part of some larger strategy,” Schumer said in a statement last month. “We just cannot be too careful here, especially now, admidst these tensions and general cyber threats.”
The railway corporation received contracts for rail cars in cities including Los Angeles, Chicago, Philadelphia, and Boston. Reuters reported last month the company is also hashing out a more than $500 million rail car contract with the Washington Metropolitan Area Transit Authority in D.C.
Similarly, CRRC is reportedly pursuing a contract with MTA to manufacture approximately 1,000 rail cars, according to the Washington Post. The company has yet to secure a contract in New York City, but it was one of the winners of MTA’s recent design contest for new rail cars. As part of the contest, CRRC invested $50 million of its own money to create a new subway car, with features such as Wi-Fi that Schumer argued could be vulnerable to cyberattacks.
In the past, rail cars have been hit by cyberattacks that security officials attributed to China. Public transit systems in San Francisco and Sacramento were subjected to ransomware attacks from hackers in 2016 and 2017.
Schumer pointed to a tweet from CRRC that has since been deleted claiming that 83% of rail products globally are operated by or are from the company. The tweet asked, “How long will it take for us conquering the remaining 17%?”
“Given what we know about how cyberwarfare works, and recent attacks that have hit transportation and infrastructure hubs across the country, the Department of Commerce must give the green light and thoroughly check any proposals or work China’s CRRC does on behalf of the New York subway system, including our signals, Wi-Fi, and more,” Schumer said.
According to the company’s Chicago subsidiary, CRRC Sifang America, national security concerns from lawmakers are unfounded. A spokesman for the company said it was “eager” to address any apprehensions Schumer has and would “welcome an inquiry regarding our U.S. operations.”
“There is no evidence of a passenger railcar manufacturer, including CRRC, installing any type of new technology that could intentionally open passenger rail cars to cyberthreats or pose a threat to commuters and national security,” spokesman Dave Smolensky said, according to the Associated Press.
Smolensky also noted that many of the parts used in the rail cars are from U.S. companies.
Next steps for an investigation into potential national security threats are unclear. The Department of Commerce and a spokesperson for Schumer did not respond to requests for comment from the Washington Examiner.
Lawmakers in both chambers have grown concerned about the national security ramifications of working with Chinese rail companies. For example, Sens. John Cornyn, R-Texas, and Tammy Baldwin, D-Wis., introduced legislation in March that would bar using federal funds to purchase rail cars or buses produced by Chinese-owned or controlled companies.
“China poses a clear and present danger to our national security and has already infiltrated our rail and bus manufacturing industries,” Cornyn said in a statement. “The threat to our national security through the exploitation of our transportation and infrastructure sectors is one we should take seriously.”
Likewise, Democratic Sens. Mark Warner and Tim Kaine of Virginia and Chris Van Hollen and Ben Cardin of Maryland introduced legislation last month that would prevent the D.C. transit authority from using federal funds on a contract with CRRC for new rail cars. The senators previously said they were worried about technologies that were expected to be included in the new metro cars, such as video surveillance, and argued the technology could allow a foreign spy or terrorist to hack into the metro system and conduct espionage.
A bipartisan group of House lawmakers from New York also issued a letter to MTA and the New York Transit Authority voicing their worries about a potential cyberattack.
“While we welcome innovation and continued enhancements to the operations of our subway system, we have serious concerns regarding the intimate involvement of a Chinese state-owned enterprise in these efforts,” the lawmakers wrote. “Moreover, we question the impact that this involvement could have on New York’s vibrant rail supply sector.”
The letter, spearheaded by Reps. Kathleen Rice, a Democrat, and John Katko, a Republican, pressed for details on whether the Department of Homeland Security has briefed MTA on “potential risks inherent in contracting with entities closely linked to certain foreign governments.” They also requested details on whether any cybersecurity protocols are in place for those who won grants from the design contest.
“With millions of passengers riding on the New York City Subway system every day, it is important that we take steps to ensure the integrity of our systems and mitigate any cyber risks before attacks happen,” the lawmakers said.
