Defense bill must protect US rail system against Chinese cyber intrusions

A year ago, we wrote about the urgent need to focus the nation’s attention on cybersecurity threats to America’s rail system. An increasingly important element of our critical national infrastructure, rail transportation — passenger and freight — faces the same intense, focused, persistent and malevolent threat from our adversaries as do the nation’s financial institutions, energy sectors and communications network.  

As rail moves quickly into a new era of interconnectedness and reliance on more sensor technology to make the system safer and more efficient, important decisions must be made by all actors — suppliers and manufacturers, transit authorities and regulators, and state, local and national legislators — to ensure the system that moves people and goods is secure from cyber intrusions and possible cyber attacks.

Congress is reviewing important language included in the National Defense Authorization Act, which is now in conference, that would restrict federal funding for rail purchases from state-owned or sponsored enterprises. We believe this legislation, which has received bipartisan support in the House and Senate, is important both in terms of cybersecurity and to ensure continued competitiveness in the rail sector, particularly regarding transit or passenger systems.  

We are particularly concerned about the nearly unchecked penetration of the U.S. passenger rail systems by China’s CRRC, a state-owned enterprise that is an important element of China’s oft-stated plan to dominate rail manufacturing globally by 2025. While the U.S. and our allies should be alarmed by the anti-competitive nature of CRRC, which seeks to undermine and eliminate competition from Western manufacturers and suppliers, the cybersecurity threat this penetration of our market presents should be of equal concern.

We need to look no further than some clear, recent examples of China’s efforts to collect intelligence, compromise proprietary information, and position itself for future malevolent acts.  To wit:

• Between 2009 and 2013, Canadian permanent resident and Chinese national Su Bin conspired to hack into the computer systems of large defense contractors to steal data regarding some of our nation’s most advanced military projects.

• In December 2018, the Department of Justice (DOJ) indicted two Chinese nationals on charges of conspiracy to breach computer systems, among other charges. These individuals, who were tied to China’s main foreign intelligence organization, targeted aviation, telecommunications, pharmaceutical and satellite companies.

• In July of this year, DOJ unsealed a 2017 indictment of Chinese national Xudong Yao for nine counts of theft of trade secrets from a U.S. locomotive company.

To date, CRRC has established a foothold in the U.S. by securing contracts for passenger rail in the important high-volume markets of Los Angeles, Chicago, Philadelphia and Boston. But there has been pushback. Here in Washington, local legislators have requested the Washington Metro Area Transit Authority (WMATA) to include cybersecurity considerations in its requests for proposals. Legislation has been introduced in New York to protect riders from cyber intrusions by Chinese state-owned companies and Massachusetts is considering similar legislation. 

At the national level, there is bipartisan language in the National Defense Authorization Act that would prevent the use of federal taxpayer dollars for the purchase of transit rail equipment from companies controlled by the Chinese government.

The cybersecurity threat to people and systems is clear and present. We are pleased to see there is a recognition in many quarters that the U.S. must take action to minimize this threat. Accordingly, we strongly urge members of Congress to keep this vital language intact in the final bill.  

David N. Senty, a retired U.S. Air Force major general, was the first chief of staff at U.S. Cyber Command. He also is a 33-year veteran of the CIA, principally as a senior technical operations officer.

Mark S. Sparkman is a 30-year veteran of the CIA, including as an operations officer, a member of the Senior Intelligence Service and former Chief of Station. He is the chief intelligence officer for Veretus Group, an investigations and strategic intelligence firm in Washington.