Spies in the sky?

High-level federal concerns over Chinese-made ship-to-shore cranes ramped up in February after President Joe Biden issued an executive order addressing cybersecurity and espionage risks the cranes pose at U.S. ports.

Then in early March, a congressional investigation revealed cellular modems had been found on some Chinese crane components at a U.S. port and a modem
was discovered in another port’s server room — although the specific ports were not disclosed — according to The Wall Street Journal.

Chinese state-owned Shanghai Zhenhua Heavy Industries Co., known as ZPMC, manufactures about 80% of all cranes in use at U.S. ports — including all 27 of the Port of Virginia’s ship-to-shore cranes. The port has eight more cranes on order from ZPMC, including four that will be delivered in December and another four set to be delivered in August 2025.

However, notes Cathie Vick, the Virginia Port Authority’s chief development and public affairs officer, there have been no reports of cybersecurity breaches involving Port of Virginia cranes, and the federal government has not alerted the port about any instances of Chinese espionage involving Virginia cranes.

Nonetheless, “it’s incumbent on the industry to stay vigilant,” says Derek Miller, the American Association of Port Authorities’ government relations director.

During congressional testimony in late February, Rear Adm. John Vann, commander of the U.S. Coast Guard Cyber Command, said the Coast Guard had found “vulnerabilities that are there by design” in crane software networks but had not found malware or Trojan horse-type software.

At the Port of Virginia, “before any new cranes are put into service, they are subject to a detailed forensic cyberanalysis that is performed by one of the nation’s federal law enforcement agencies,” Vick said in a Feb. 21 statement after Biden released his executive order expanding the Coast Guard’s authority to address cybersecurity concerns. “New cranes awaiting analysis are isolated with dedicated firewalls to ensure there is no contact with port networks or the internet.”

Additionally, the port undergoes regular cybersecurity exercises with federal entities, and some of the regulations implemented in Biden’s executive order, like mandatory reporting of cybersecurity incidents or active cyberthreats, were already included in the port’s protocols.

The AAPA is supportive of the Biden administration’s actions, Miller says, “particularly the executive order, which really was aimed at bringing the Coast Guard’s authorities when it comes to cybersecurity up to the level that they are with physical security.”

The White House also announced it would direct more than $20 billion in federal funds to invest in port infrastructure over the next five years, including supporting domestic manufacturing of cranes from a U.S.-based subsidiary of Japanese company Mitsui E&S Co.

Following Biden’s order, members of two U.S. House of Representatives committees sent a letter to ZPMC that made public the investigators’ discovery of modems at U.S. ports. The Coast Guard also issued a Feb. 23 directive listing risk management steps for owners and operators of Chinese-made ship-to-shore cranes.

“Obviously, the Port of Virginia will follow whatever the directions are and the law, but having said that … there’s been no, at least publicized, documented issue with the cranes in terms of their software,” says Aubrey Layne Jr., board chair of the Virginia Port Authority. “And so … for the policies to come out, that was a little bit perplexing.

“Any Chinese-owned companies now are being scrutinized, and we get it, so we want to make sure that we are compliant, but it is very political right now, and we’re trying to stay out of all that,” notes Layne, who served as Virginia’s secretary of finance and, before that, the state’s transportation secretary. “We’re just trying to run our business in a safe way for the American people.”