State rep’s rail-car warning echoes in DC

Congress, Pentagon, and now Metro transit system share concerns over Chinese firm

STATE REP. SHAWN DOOLEY acknowledged last month that some might think he had a screw loose for sounding a warning over the cybersecurity risks posed by the MBTA contracting with a Chinese rail car maker to deliver 400 new Orange and Red line subway cars.

The Norfolk Republican said he was concerned that the contract with the state-owned China Railway Rolling Stock Corp., or CRRC, could expose the T to sabotage — everything from spyware that captures information from riders’ smartphones to an ability for foreign players to shutdown the system or cause a collision.

Dooley said CRRC’s contract was “a ruse and nothing more than what a powerful and well-funded espionage actor does.” He said he plans to file legislation this month that would ban future such contracts.

“I’d rather say something and be wrong than not say something and be proven right,” Dooley told CommonWealth last month. He explained that his concern was triggered by what he learned recently from sitting in on a cybersecurity class at the US Naval Academy, where his daughter is a student. “Prove to me than I’m a nut and happily I’ll go away.”

Rather than being shown to be a nut, Dooley is undoubtedly taking some satisfaction this morning in the fact that the Washington Post ran out an 1,800-word front-page story today that reports on the very concerns he has raised.

The story focuses on an upcoming contract Washington’s Metro subway system plans to award for new subway cars, a deal worth more than $1 billion that CRRC appears to be well-positioned to win.

“Congress, the Pentagon, and industry experts have taken the warnings seriously, and now Metro will do the same,” the paper says of espionage concerns related to the Chinese company.

The Post says the DC Metro has revised its bid specifications in order to add more security safeguards.

“We don’t want to get trapped into a xenophobic conversation . . . but we also don’t want to be naive,” Robert Puentes, president of the Eno Center for Transportation, a Washington-based think tank, told the paper.

Proposals are pending in Washington in both the House and Senate to impose a one-year moratorium on the purchase of any Chinese-made buses or rail cars using federal funds. Such a move would, however, drive up costs to local transit systems. CRRC has been able to significantly underbid other firms, something critics call an unfair advantage it enjoys as a result of state subsidies.

The Post says CRRC’s foothold in the US market started with the 2014 contract it won with the MBTA. Since then, it has landed contracts for new rail cars with transit systems in Chicago, Los Angeles, and Philadelphia.

All four systems say they have safeguards in place against the security concerns being raised. The MBTA said last month in response to Dooley’s warnings that no software components in its new rail cars will be manufactured in China and that all equipment would be checked against standards developed by the US Defense Department.

Andrew Grotto, a former senior director for cybersecurity policy on the National Security Council, told the Post the security measures adopted by the T and the three other US transit agencies were “appropriate,” but he raised questions about their implementation.

“Who is responsible and held accountable for seeing these results through? How will monitoring and auditing work?” Grotto said.

Read the original article here.

Featured Posts