The House Select Committee on the Chinese Communist Party has completed its review of cybersecurity risks arising from the dominance of one Chinese crane manufacturer, and has released a comprehensive report on its findings (including a classified annex of findings that cannot be shared with the public).
State-owned Shanghai Zhenhua Heavy Industries (ZPMC) is by far the world’s most popular supplier of ship-to-shore (STS) container cranes, and its products can be found in seaports in every time zone. It is also the leading supplier in the American market: about 80 percent of all STS cranes at U.S. ports were built and shipped by ZPMC.
Cyber and maritime security experts have warned that the electronic equipment fitted to ZPMC’s cranes could be used for surveillance, or even for remote manipulation or shutdown. Some of the firm’s cranes in the U.S. have been found to have their own onboard cellular modems, giving them an independent connection that bypasses the port’s own local area network.
According to the committee, ZPMC has repeatedly requested remote access to its STS cranes around the U.S., especially those on the West Coast, where the busiest container terminals in the U.S. are located. The FBI also retrieved what it believed to be “intelligence collection devices” from a shipment of ZPMC cranes at the Port of Baltimore in 2021.
“ZPMC could, if desired, serve as a Trojan horse capable of helping the CCP and the PRC military exploit and manipulate U.S. maritime equipment and technology at their request,” said Representatives John Moolenaar (R-MI), Mark E. Green, MD (R-TN) and Carlos Gimenez (R-FL). “By potentially sacrificing long-term economic security for short-term financial gain, we have given the CCP the ability to track the movement of goods through our ports or even halt port activity at the drop of a hat.”
The committees found a range of potential vulnerabilities in their study:
- When ZPMC signs deals with U.S. ports to supply STS cranes and other equipment, its contracts contain no restrictions on installation or access to the technology package on the machinery. This makes it contractually possible for ZPMC to install unauthorized equipment or software without breaching its sales agreements.
- Like all leading Chinese state-owned enterprises, ZPMC has senior party members and defense executives on its board, and it has connections to the PLA. It has made business deals with U.S.-sanctioned entities involved in human rights abuses, according to the committee.
The committees said that while the Biden administration’s executive orders on port cybersecurity have helped – the Coast Guard now has cyber infrastructure enforcement powers – more will need to be done. “The Committees remain concerned that the port authorities have often structured their legal agreements with terminal operators in such a way as to pass off risk and are unable or unwilling to address the cybersecurity challenges,” the investigators concluded. “[Expert cyber testing] can significantly reduce the vulnerabilities posed by the PRC, but some ports do not engage in any of these actions.”
In a statement, the American Association of Port Authorities (AAPA) thanked the committees for their work and emphasized that America’s ports have never had a known cyber breach affecting equipment. (Unrelated cyber incidents have affected cargo handling systems and internal IT business networks in years past, but not cranes.)
“We are eager to continue collaborating with Federal Government leaders to respond to evolving threat landscapes with forward looking policy solutions like waivers to burdensome procurement requirements and incentives for the domestic manufacture of critical port equipment,” said AAPA CEO Cary S. Davis in a statement.