Lawmakers target Chinese rail cars over security concerns

Lawmakers target Chinese rail cars over security concerns
© Getty Images

A Chinese company that is designing subway train cars for U.S. cities is at the center of growing scrutiny over worries that its products could be susceptible to hacking or remote control.

Lawmakers from both parties have urged transit agencies, including the Washington Metropolitan Area Transit Authority (WMATA) and the Metropolitan Transit Authority (MTA) in New York state, not to award contracts to the China Railway Rolling Stock Corporation (CRRC), claiming concerns about national security.

They have cited cyber- and other security concerns and warned against giving a Chinese state-owned business control over critical American infrastructure.


In a letter earlier this month, a bipartisan group of House members from New York wrote to the New York City Transit Authority and the MTA, warning of “comprehensive efforts to undermine U.S. economic competitiveness and national security.”

Senate Minority Leader Charles SchumerChuck SchumerBiden to meet with 6 GOP senators next week The Hill's Morning Report - Presented by Emergent BioSolutions - Upbeat jobs data, relaxed COVID-19 restrictions offer rosier US picture How to fast-track climate action? EPA cutting super pollutant HFCs MORE (D-N.Y.) also zeroed in on this issue last week, calling on the Commerce Department to “thoroughly investigate” the CRRC.

The lawmakers who have put the spotlight on the CRRC acknowledge that no American companies currently manufacture rail cars. But they note that the next generation of rail cars will include Wi-Fi systems and more advanced train tracking technology and caution that more safeguards must be in place to ensure security.

“Given what we know about how cyberwarfare works, and recent attacks that have hit transportation and infrastructure hubs across the country, the Department of Commerce must give the green light and thoroughly check any proposals or work China’s CRRC does on behalf of the New York subway system, including our signals, Wi-Fi and more,” Schumer said in a statement.

The CRRC is only the latest Chinese firm to come under the microscope in the U.S. over security concerns. The administration last month decided to blacklist products from Chinese telecommunications firm Huawei, before granting a 90-day delay. And the scrutiny comes with the U.S. and China in the midst of a trade war after billions in tit-for-tat tariffs and with negotiations on a new trade deal deadlocked.


The company at the center of the new firestorm, the CRRC, has ambitious plans for the U.S. market.

It is already the largest manufacturer of metro rail cars in the world and is building rail cars for Los Angeles, Philadelphia and Chicago. It was also a winner of an MTA Genius Transit Challenge in 2018 and has promised to invest its own funds to develop a next generation subway car for New York City. The company is also reportedly bidding on a $500 million WMATA contract.

The CRRC is pushing back on the allegations and insisting that the company adheres to the highest cybersecurity standards.

Marina Popovic, the chief legal counsel and director of human resources for CRRC Sifang America, told The Hill this week that while the company is associated with China, it works to source components for building train cars from U.S. companies.

“There is a connection to China, yes, we are a subsidiary of a company out of China, but ... [that] is not really the most important focus here,” Popovic said. “The focus is on what kind of work and manufacturing we are going to do, and what happens when we do manufacture rail cars.”

Popovic noted that the train control and management systems, which she termed the “brain of the train,” are not built using Chinese materials and said that both the CRRC and transit agencies, such as the Chicago Transit Authority (CTA), are dedicated to ensuring the cybersecurity of these train cars.

To build the 7000-series metro cars for the CTA, the CRRC used components from U.S. companies such as Siemens USA and North American Specialty Glass for some parts.

The company is also dismissing fears that it would retain the ability to control the rail cars once they are built.

Popovic stressed that once the CRRC has built the metro cars, they are “solely, wholly, and completely” in the hands of the transit agency.

“CRRC is very dedicated and very supportive of the fact that there will be security measures, safety measures, and transit agencies will want to be satisfied before they accept a car,” Popovic said.

Popovic noted that the CRRC recently built “explosion-proof” metro cars for Tel Aviv, highlighting the strong focus on security in Israel as proof the company’s products can be trusted.

The company also believes the concerns about cybersecurity and the company’s ties to China are being drummed up by U.S. freight rail manufacturers threatened by potential competition.

Popovic called it a “campaign” against the CRRC.

“At the end of the day, what does every transit agency that is seeking bids for rail cars looking for?” Popovic said. “Competition -— it drives a better product, a better price, and a better result for the agency, and what is happening here with this campaign is it is pushing the exact opposite, trying to hinder competition.”

Critics, though, have pushed back, arguing that the questions about the CRRC are legitimate.

Erik Olson, the vice president of the Rail Security Alliance, called the CRRC’s defenses “hollow.”

“The only campaign that is being waged here is the one that the Chinese government is executing through its Made in China 2025 initiative,” Olson told The Hill on Tuesday.

The Made in China 2025 initiative is the Chinese government’s 10-year plan meant to update China’s manufacturing base, such as through developing new technologies including information technology and advanced telecommunications. 

“CRRC is a Chinese state-owned enterprise and has a nearly ten-year track record of engaging in anti-competitive practices, to the detriment of the cities and countries where they do business,” Olson said. “Cybersecurity experts at the highest levels of our government and lawmakers on both sides of the aisle agree that there is a real threat to U.S. economic and national security. Hollow denials by CRRC don’t change that.”

For now, it is unclear if the Trump administration will take any action on the CRRC.

The company is pushing ahead with its plans for the U.S. even as lawmakers sound the alarm.

Popovic said at the end of the day the company just wants a “fair shot” to compete for contracts.