Are Chinese rail cars a Trojan horse?
As if the MBTA doesn’t have enough trouble keeping its aging fleet of trains going, a state lawmaker is warning that the cure may be worse than the disease.
State Rep. Shawn Dooley says the T is jeopardizing the safety and personal information of riders by contracting with a Chinese-owned firm to build 400 new Orange and Red Line cars. With claims that sound straight out of an overwrought spy thriller, the Norfolk Republican says the state has been duped into providing a foothold for Chinese cyberattacks on a crucial part of the Greater Boston transportation infrastructure. He plans to file a bill next month that would cut off any further contracts for rail cars with the company.
Pointing to recent reports of a massive hacking of information on more than 500 million Marriott hotel guests by Chinese intelligence agents, Dooley says the state is putting the T at grave risk through its 2014 contract with CRRC’s US subsidiary to build the new cars for the T’s Red and Orange lines.
“The sophistication of the Chinese effort is no better illustrated [than] by the insidiousness of how it has lured the T as an ally,” Dooley said in a press release. “It’s a ruse and nothing more than what a powerful and well-funded espionage actor does.”
Dooley’s breathless claims sound outlandish, but there are growing concerns about the threat of cyberattacks on huge US sectors such as utilities, transportation, or health care.
“The more I speak to people, the more they think that the next Pearl Harbor is going to be a cyberattack,” internet security expert Tarah Wheeler told an audience in May during the Organization for Economic Cooperation and Development’s annual meetings in Paris. Wheeler told CNBC that US infrastructure is not well-protected against such attacks.
Dooley, who initially raised his concerns in a CommonWealth op-ed in October, said the bill he is filing would ban the state from entering into large contracts with state-controlled companies in countries designated “non-market economies.”
“The danger is that it’s their technology, controlled by their state-owned agency creating the rail cars,” he said of CRRC, whose US subsidiary opened a manufacturing facility last year in Springfield where the rail cars are being assembled with components shipped from China.
Dooley said he worries about the ability of China to shut down the rail cars and “basically handicap a region’s entire rail system.”
A spokeswoman for CRRC MA declined comment. MBTA officials say no software components for the new vehicles are manufactured in China and the equipment is thoroughly checked against standards established by the US Defense Department. “The MBTA has robust controls in place to maintain the security of the system,” said T spokesman Joe Pesaturo.
Dooley said he’d love to have someone explain that all sorts of safeguards are in place against the scenario he describes. “Show me that we’ve done this, this, and this, and it could never happen,” he said. “I’d rather say something and be wrong than not say something and be proven right. Prove to me than I’m a nut and happily I’ll go away.”
Dooley says his concerns about the rail cars were triggered by a visit in September to the Naval Academy where his daughter is a student. He sat in on a class she was taking on cybersecurity in which the instructor explained how, if a corrupted cellphone is connected to an automobile’s display monitor to run a navigation app, it’s possible to remotely take control of the vehicle’s braking, acceleration, and steering.
“It wasn’t out of James Bond,” said Dooley.
Dooley acknowledged that millions of computer-based devices made in China are imported to the US, but said we should draw the line on things connected to huge pieces of infrastructure. “If they hack into your iPhone, yeah, it’s bad,” he said. “It’s not going to be able to shut down an entire rail system.”
Dooley’s bill would not affect the current contract for new subway cars. “You can’t put the genie back in the bottle,” he said. “But you’ve got to start somewhere.”
Read the original article here.