Senators worry that new D.C. Metro railcars could carry cyber risk
Senators who represent the Washington, D.C., area have raised concerns about added cybersecurity risks in the region’s Metro system after reports that a Chinese state-owned manufacturing company could win a $1 billion procurement for railcars.
The four Democrats – Sens. Mark Warner and Tim Kaine of Virginia, and Ben Cardin and Chris Van Hollen of Maryland – wrote to the Washington Metropolitan Area Transit Authority expressing their “serious concerns” of possible foreign bidding on the project, “particularly when it could involve foreign governments that have explicitly sought to undermine our country’s economic competitiveness and national security.”
The Jan. 18 letter to WMATA CEO Paul J. Wiedefeld, the lawmakers exhorted him to “take the necessary steps to mitigate growing cyber risks to these cars.” The worry is that technology in the transit system, including video surveillance cameras and the automated aspects of railcars, could be a target of spies or hackers.
The state-owned China Railway Rolling Stock Corp. “is expected to be a strong contender” for a Metro contract likely worth over $1 billion for between 256 to 800 new railcars, The Washington Post reported Jan. 7.
U.S. intelligence officials and lawmakers regularly allege that the Chinese government could leverage technology deployed by Chinese companies to spy on Americans or introduce other vulnerabilities to infrastructure. Chinese companies have routinely denied those allegations.
Metro is planning on amending an earlier request for proposals for the railcar project to include cybersecurity protocols, according to the senators. The lawmakers want to know how rigorous these protocols are, and if Metro will consult cybersecurity experts at the departments of Homeland Security and Transportation when evaluating project bids.
In a reference to China, the senators asked Wiedefeld if Metro will consider a company’s ties to foreign governments with a history of industrial and cyber-espionage when assessing bids, and whether the transit authority will allow a railcar’s sensitive components to be sourced from such countries.
For the senators, federal oversight of the Metro railcar project is key. They want to know if Metro officials have been briefed by DHS or other agencies on foreign hackers’ probing of U.S. critical infrastructure. The lawmakers also ask if Metro will consult with defense officials before allowing foreign-government-built railcars to stop at the Pentagon, which is part of the Metro system.
In a statement, Wiedefeld said he had received the letter and would respond to the senators as soon as possible.
“We recognize the important national security concerns being raised, and we are working to strengthen this procurement and others with new cybersecurity requirements,” Wiedefeld said. “While we have a fiduciary responsibility with all procurements, safety and security is always our first priority.”
Metro, which has been losing $400,000 a day because of the government shutdown, is doing a series of cybersecurity audits designed to make it less vulnerable to hacking, according to The Post. A classified inspector general report presented to the Metro board last June found “opportunities for improvement” in how the agency detects and remediates malicious cyber activity, the newspaper reported.
You can read the full letter below.
[documentcloud url=”https://www.documentcloud.org/documents/5690574-WMATA-Cyber-Concerns-8000-Series-Rail-Car-RFP.html” responsive=true]
