China Calls U.S. Port Crane Cybersecurity Accusations “Entirely Paranoia”
China responded to the U.S. initiative on port cybersecurity and the focus on Chinese-manufactured cranes calling the premise of the initiative “entirely paranoia.” The response came from a spokesperson as opposed to a top government official, but falls back on China’s frequent position that the repeated use of the “China card” by the U.S. is “irresponsible.”
Concerns about China’s dominance in the global market for large port cranes used to load and unload containerships surfaced a year ago. There were assertions that China was tracking cargo movement and gaining vital data on the operation of ports both in the U.S. and internationally. Chinese manufacturer ZPMC dominates the market with nearly an 80 percent share and in many cases is the only supplier to more than 100 of the world’s top ports.
Speaking to reporters providing background to President Joe Biden’s Executive Order for port cyber security, Rear Admiral John Vann of the U.S. Coast Guard on Tuesday raised concerns about the design and operation of port cranes. He revealed that a survey of the cranes is already underway, with the USCG mandated by the Executive Order to provide a new Maritime Security Directive on “cyber risk management for ship-to-shore cranes manufactured by the People’s Republic of China located at U.S. commercial strategic seaports.”
“By design, these cranes may be controlled, serviced, and programmed from remote locations,” Rear Admiral Vann told reporters. He said the remote access features left the cranes and in turn U.S. ports “vulnerable to exploitation.”
Liu Pengyu, spokesperson for the Chinese Embassy in the U.S. responded to the initiative writing in a message posted on X (Twitter) “The relevant claim that ‘Chinese-made cranes pose a security risk to the U.S.’ is entirely paranoia. We firmly oppose the U.S. overstretching the concept of national security and abusing national power to obstruct normal economic and trade cooperation with China.”
The comments were backup today in the regular daily press briefing by China's Foreign Ministry Spokesperson Mao Ning. When asked about the U.S. assertions, she responded, "The accusation that China-made cranes pose security risks is completely unfounded. We firmly oppose the U.S. overstretching the concept of national security and abusing state power to go after Chinese products and companies. Weaponizing economic and trade issues will exacerbate security risks in global industrial and supply chains and inevitably backfire."
It is being widely reported incorrectly that President Biden ordered U.S. ports to replace the cranes, but the Executive Order requires them to take steps to “address several vulnerabilities that have been identified.” Last year when this issue first surfaced, members of the U.S. Congress called for disabling the remote access capabilities and sensors on the cranes.
The American Association of Port Authorities (AAPA) last year called the assertions “sensationalized claims,” highlighting that there was no evidence of the claims and no examples of operations being interrupted by the manipulation of the cranes. They noted that the cranes did not contain detailed information about the cargo they were moving and said there was no evidence of tracking by the cranes.
“Playing the ‘China card’ and floating the ‘China threat’ theory is irresponsible and will harm the interests of the U.S. itself,” the Chinese spokesperson said in his response to the U.S. announcement.
US Increases Port Cybersecurity Citing Threat of Chinese Cargo Cranes
President Joe Biden today launched a sweeping Executive Order designed to give the Department of Homeland Security and the U.S. Coast Guard broader authority in strengthening maritime cybersecurity. Under the guise of strengthening the nation’s supply chains and security, the administration is highlighting a plan to invest over $20 billion over the next five years in port infrastructure including an effort to reestablish domestic crane manufacturing to end Chinese dominance in large cargo cranes.
“Every day malicious cyber actors attempt to gain unauthorized access to the Marine Transportation System’s control systems and networks,” The White House wrote in announcing the Executive Order. Without citing any specific examples and saying the move was not in response to a specific threat, the order is designed to bolster the security of the nation’s ports along with actions to strengthen maritime cybersecurity, fortify supply chains, and strengthen the U.S. industrial base they said.
While there have been multiple instances of port authorities, terminal operators, and shipping companies all experiencing hacking and cyberattacks, the issue of Chinese-manufactured cargo cranes surfaced nearly a year ago after The Wall Street Journal ran a story citing unnamed sources alleging a threat from the Chinese either spying on U.S. ports or having the potential to control the cranes remotely. The American Association of Port Authorities (AAPA) strongly refuted the accusations calling them “sensationalized claims” and saying that there is no evidence of the cranes being used to harm or track port operations.
In the Executive Order signed today by President Biden, the Department of Homeland Security is directed to address maritime cyber threats, including setting cybersecurity standards. The U.S. Coast Guard is given authority to respond to malicious cyber activity, including the authority to “control the movements of vessels that present a known or suspected cyber threat.”
It also institutes mandatory reporting of cyber incidents or active cyber threats. This includes threats to vessels, harbors, ports, or waterfront facilities. The U.S. also intends to name a Maritime Security Director.
The USCG is directed to issue a Maritime Security Directive “on cyber risk management actions for ship-to-shore cranes manufactured by the People’s Republic of China located at U.S. commercial strategic seaports.” The owners and operators of the cranes “must acknowledge the directive” and take action on the cranes and the associated information and operational technologies.
“Several vulnerabilities have been identified,” according to The White House in a MARAD advisory that is being released today. In a background briefing, Rear Admiral John Vann of the USCG said they were already assessing 200 cranes for cybersecurity vulnerabilities. He pointed out that by design the cranes and software have remote programming capabilities and tracking devices built into their systems which he contended are “vulnerable to exploitation.”
Without specifically citing the cranes, the FBI and other security agencies have warned of a potential threat from China or other malicious actors to U.S. infrastructure.
The White House today highlighted an agreement with PACECO Corp., a U.S.-based subsidiary of Japan’s Mitsui E&S Co., which they report is planning to relaunch a U.S. manufacturing capability for cranes. They emphasized that the company was a pioneer in 1958 with the first dedicated ship-to-shore container crane but ended U.S.-based crane manufacturing in the late 1980s. PACECO is reported to be looking for partners and a site but plans on manufacturing cranes in the U.S. for the first time in 30 years.
Currently, 70 to 80 percent of the large, container cranes used in ports worldwide are manufactured by ZPMC, a company headquartered in China. Emerging as a lower-cost alternative, and in many cases, the only viable supplier, the company’s large ship-to-shore cranes are deployed in over 100 countries.
Last year, lawmakers in the U.S. House of Representatives proposed the Port Crane Security & Inspection Act addressing any crane manufactured by a “foreign adversary,” and also a “crane for which any information technology and operational technology components in such crane is connected into cyberinfrastructure at a port located in the United States.”
AAPA highlighted that the Chinese company built its lead by being the only major manufacturer of large cranes. They called on the U.S. Congress to focus on efforts to reshore the manufacturing of cranes to the U.S. as a means of supporting American industry and ports.
Many of the elements of these initiatives appear to have influenced the content of the Executive Order signed today. The USCG reports it opened a public comment period running until late April as it moves forward to enact the new rules.