Top Republicans from multiple House committees are sounding the alarm on a series of mysterious devices that appear to have been implanted into container cranes used throughout the U.S. port system by China.
The lawmakers say that numerous modems with no known function were uncovered from ship-to-shore (STS) cranes, which are used to unload cargo at the nation’s largest ports.
All of the cranes in question were manufactured by Shanghai Zhenhua Heavy Industries (ZPMC), a subsidiary of the state-owned China Communications Construction Co.
Relatedly, the lawmakers noted that ZPMC’s manufacturing facility is located adjacent to China’s most advanced ship-making facility, where the regime builds its aircraft carriers and houses advanced intelligence capabilities.
“These components do not contribute to the operation of the STS cranes or maritime infrastructure and are not part of any existing contract between ZPMC and the receiving U.S. maritime port,” the letter said.
“The Committees have serious concerns that this proximity to the [Chinese military’s] main shipyard provides malicious CCP [Chinese Communist Party] entities, including its intelligence agencies and security services, with ample opportunity to modify U.S.-bound maritime equipment, exploit it to malfunction, or otherwise facilitate cyber espionage thereby compromising U.S. maritime critical infrastructure.”
At that time, Coast Guard cyber protection teams had assessed the cybersecurity or hunted for threats on 92 of those cranes, he said.
The discovery comes amid an ongoing congressional investigation into the operation of cranes manufactured in China and operating at U.S. ports.
As part of another cybersecurity investigation, some of the modems in question were also found to have active connections to the operational components of the STS cranes, suggesting they could be remotely controlled by a device no one previously knew was there.
Speaking to reporters last month, White House Deputy National Security Adviser Anne Neuberger said the cranes were designed to be serviceable from a remote location, which leaves them open to such exploitation.
“By design, these cranes may be controlled, serviced, and programmed from remote locations,” Ms. Neuberger said. “These features potentially leave [China]-manufactured cranes vulnerable to exploitation.
As such, the letter suggests that every U.S. seaport with ZPMC cranes could already be, or is at risk of being, compromised by the CCP.
“Those container cranes are not cranes,” Mr. Mills said. “They’re IP endpoints on a worldwide intelligence collection system.”
To that end, he said that the cranes’ operational and safety features could likely be overridden remotely. This would allow the CCP to potentially trick one of the giant cranes into shifting its counterbalance in such a way that would cause it to crash into ships or containers in the nation’s busiest ports.
Complicating the issue all the more, he said, was the fact that the niche nature of the cargo cranes and their programming means it is unlikely a tailored cyber response to secure the systems will be created anytime soon.
To counter the threat in the long term, he added, the United States would need to ensure that it manufactured such vital equipment in its own territory.
“As things play out, they’re [the CCP] going to start initiating the hitting of target sets in cyber. The port cranes are a perfect example,” Mr. Mills said.
“This is the importance of making things here. If you want to reduce the Chinese threat, start making things here.”
