Are Cranes at U.S. Ports Chinese Spy Tools?
“How can it be a spy satellite if they announce on television that it’s a spy satellite?”
–George Carlin
If you’re ever at a major U.S. port, take a look at the cranes looming over the container ships and see if you can spot any Made in China stickers on them. Did you know that about 80% of the cranes that lift containers off ships and put them on the docks in the U.S. are made by China? Now imagine China using those cranes for espionage and cyber attacks. I’m not describing the plot of some James Bond-type spy movie. The government is warning us right now that that’s a real possibility.
New Regulation Around Threat from Chinese-Made Cranes
U.S. ports are getting a new set of regulations to follow in case their cranes really are spy devices, as John Gallagher reports in a FreightWaves article:
Owners and operators of over 200 Chinese-made container cranes at U.S. ports will be subject to new cyber-risk management requirements aimed at reducing China’s ability to spy on America’s domestic supply chains.
The Coast Guard, on behalf of the Department of Homeland Security, announced yesterday that owners and operators of the Chinese-made cranes “should immediately contact their local Coast Guard Captain of the Port (COTP)” to obtain copies of Maritime Security Directive 105-4. The directive gives the new “cyber risk management actions” to follow.
I won’t be able to share the directive and new rules that will have to be followed at the ports because “The directive contains security-sensitive information and, therefore, cannot be made available to the general public.” But I will share the full text of the Coast Guard announcement at the end of this post.
How Are Cranes a Threat?
The Coast Guard announcement contains some explanation of how and why the Chinese-manufactured ship to shore (SPS) cranes are a threat:
By design, these cranes may be controlled, serviced, and programmed from remote locations, and those features potentially leave PRC-manufactured STS cranes vulnerable to exploitation, threatening the maritime elements of the national transportation system.
As such, additional measures are necessary to prevent a Transportation Security Incident in the national transportation system due to the prevalence of PRC-manufactured STS cranes in the U.S., threat intelligence related to the PRC’s interest in disrupting U.S. critical infrastructure, and the built-in vulnerabilities for remote access and control of these STS cranes.
Hunt for Threats on Cranes
The Coast Guard says an examination of the cranes for security threats is well underway, as Gallagher reports in his FreightWaves article:
At a White House briefing on Tuesday, Coast Guard Rear Adm. John Vann, who heads the agency’s cybercommand, said that his teams have “assessed cybersecurity or hunted for threats” on 92 of the cranes so far.
“Those assessments determine the cybersecurity posture, and the hunt missions actually look for malicious cyberactivity on the cranes,” Vann said. “We’ve almost canvassed about 50% of the existing cranes,” he added, but did not state whether security concerns were discovered on those cranes.
President Biden Allocates Billions for American-Made Cranes
The Biden Administration announced that serious money will be put into the American manufacture of STS cranes, as reported by Michael Angell in the Journal of Commerce:
The Biden Administration plans to spend $20 billion to bring the manufacturing of ship-to-shore cranes back to the US as the White House raises an alarm over the potential of Chinese-made cranes being used to launch a cyberattack on America’s port infrastructure.
The White House said in a statement Wednesday the funding — to be made available over the next five years through the Infrastructure Investment and Jobs Act and the Inflation Reduction Act — will bring “port crane manufacturing capabilities back to the US for the first time in 30 years.”
Government Coordinates Warnings of Chinese Espionage
Meanwhile, the FBI and Department of Transportation’s Maritime Administration are getting in on the warnings of possible Chinese espionage in the U.S. supply chain. Angell reports:
FBI Director Christopher Wray testified before Congress this week that the Chinese government’s attempts at planting spyware and mounting cyberattacks on US infrastructure are “at a scale greater than we’d seen before.” US intelligence experts have warned that sensors and remote monitoring software installed in ZPMC cranes make the equipment vulnerable to hacking attacks.
…
…the Department of Transportation’s Maritime Administration (MARAD) issued an advisory that US ports need to be alert to the security risks of ZPMC [China’s Zhenhua Heavy Industries] cranes because the remote monitoring and similar features make them “vulnerable to exploitation.”
MARAD also advised caution regarding the use of Logink, a logistics management software system developed by a Chinese government agency that is in use at 24 ports globally. The agency also warned about X-ray and cargo scanning equipment from a Chinese state-controlled entity called Nuctech due to its inability to screen for certain types of radioactive material.
Conclusion
Foreign entities in the economically and security crucial U.S. ports have long been an issue. When I started writing about international shipping more than a decade ago, around 80% of U.S. port terminals were owned and operated by foreign companies. I touched on this issue last year when yet another such company, CMA CGM, acquired two more U.S. terminals at the Port of New York and New Jersey. The previous administration found it particularly concerning when a Chinese state owned company was gaining control of a Port of Long Beach Terminal.
President Trump, who launched a trade war against China, forced the sale of the Long Beach terminal because of the national security threat of China owning and operating the terminal. So the idea of China being a threat at the ports isn’t new, but it hasn’t gotten a great deal of attention.
The idea of cranes being espionage tools for China makes for good headlines. That’s also why it’s easy to suspect this as a political ploy in an election year. Is, has, or will China use the cranes for espionage or cyber attack on the U.S. supply chain? I don’t know, but if the possibility results in a bit more attention to the security of U.S. ports, and foreign entities in them, that at least seems like a good thing.
As promised, the full text of the Coast Guard’s announcement of Directive 105-4 is below.
Full Text of Coast Guard Announcement
This document is scheduled to be published in the Federal Register on 02/23/2024 and available online at https://federalregister.gov/d/2024-03822, and on https://govinfo.gov DEPARTMENT OF HOMELAND SECURITY Coast Guard [Docket No. USCG-2024-0049] Issuance of Maritime Security (MARSEC) Directive 105-4; Cyber Risk Management Actions for Ship-to-Shore Cranes Manufactured by People’s Republic of China Companies AGENCY: Coast Guard, DHS. ACTION: Notice of availability. ________________________________________________________________________ SUMMARY: The Coast Guard announces the availability of Maritime Security (MARSEC) Directive 105-4, which provides cyber risk management actions for owners or operators of ship-to-shore (STS) cranes manufactured by People’s Republic of China (PRC) companies (PRC-manufactured STS cranes). The directive contains security- sensitive information and, therefore, cannot be made available to the general public. Owners or operators of PRC-manufactured STS cranes should immediately contact their local Coast Guard Captain of the Port (COTP) or District Commander for a copy of MARSEC Directive 105-4. DATES: MARSEC Directive 105-4 is available on February 21, 2024. FOR FURTHER INFORMATION CONTACT: For information about this document call or e-mail Brandon Link, Commander, U.S. Coast Guard, Office of Port and Facility Compliance; telephone 202-372-1107, e-mail Brandon.M.Link@uscg.mil. SUPPLEMENTARY INFORMATION: Background and Purpose MARSEC Directive 105-4 provides cyber risk management actions for owners or operators of PRC-manufactured STS cranes. Owners or operators of PRC-manufactured STS cranes should immediately contact their local COTP or cognizant District Commander for a copy of MARSEC Directive 105-4. The Maritime Transportation Security Act’s implementing regulations in 33 CFR parts 101-105 are designed to protect the maritime elements of the national transportation system. Under 33 CFR 101.405, the Coast Guard may set forth additional security measures to respond to a threat assessment or to a specific threat against those maritime elements. In addition, per 33 CFR 6.14-1, the Commandant “may prescribe such conditions and restrictions relating to the safety of waterfront facilities and vessels in port as the Commandant finds to be necessary under existing circumstances.” PRC-manufactured STS cranes make up the largest share of the global ship-to-shore crane market and account for nearly 80% of the STS cranes at U.S. ports. By design, these cranes may be controlled, serviced, and programmed from remote locations, and those features potentially leave PRC-manufactured STS cranes vulnerable to exploitation, threatening the maritime elements of the national transportation system. As such, additional measures are necessary to prevent a Transportation Security Incident in the national transportation system due to the prevalence of PRC-manufactured STS cranes in the U.S., threat intelligence related to the PRC’s interest in disrupting U.S. critical infrastructure, and the built-in vulnerabilities for remote access and control of these STS cranes. Procedural COTPs and District Commanders can access all MARSEC directives on Homeport by logging in and going to Missions > Maritime Security > Domestic Ports and Waterway Security > Policy. Owners and operators of PRC-manufactured cranes must contact their local COTP or cognizant District Commander to acquire a copy of MARSEC Directive 105-4. COTPs or cognizant District Commanders may provide this MARSEC Directive to appropriate owners and operators in accordance with SSI handling procedures. Pursuant to 33 CFR 101.405, we consulted with the Department of State, Department of Defense, Department of Transportation/Maritime Administration, Department of Homeland Security, Transportation Security Administration, Cybersecurity and Infrastructure Security Agency, and National Maritime Intelligence-Integration Office. All MARSEC Directives issued pursuant to 33 CFR 101.405 are marked as SSI in accordance with 49 CFR Part 1520. COTPs and District Commanders will require individuals requesting a MARSEC Directive to prove that they meet the standards for a “covered person” under 49 CFR 1520.7, have a “need to know” the information, as defined in 49 CFR 1520.11, and that they will safeguard the SSI in MARSEC Directive 105-4 as required in 49 CFR 1520.9. This notice is issued under authority of 33 CFR 6.14-1 and 101.405(a)(2) and 5 U.S.C. 552(a). Dated: February 21, 2024. Amy M. Beach, Captain, U.S. Coast Guard, Director of Inspections and Compliance.
