Feds say Chinese cranes used at Port of Va. could be spy tools

The Port of Virginia may have as many as 30 Chinese ship-to-shore cranes that have come under scrutiny from Pentagon officials over national security concerns, and the port has five more on delivery for next year.

The cranes made by Shanghai Zhenhua Heavy Industries Co., known as ZPMC, a state-owned company whose major shareholder is China Communications Construction Co., are a possible security risk, according to a report from The Wall Street Journal, as U.S. defense and national security officials voiced concerns that China could use technology in the cranes to gather information about materiel being shipped to support U.S. military operations. ZPMC cranes contain sensors that can track containers’ origins and destinations, and the cranes also could be vulnerable to remote access attacks that could disrupt shipping, Pentagon and national security officials told the Journal.

The story comes amid heightened U.S. concerns about Chinese spying, including the recent surveillance balloon saga and Gov. Glenn Youngkin’s decision late last year to remove Virginia from consideration for a $3.5 billion Ford Motor Co. battery plant with ties to a Chinese company.

Virginia Port Authority spokesperson Joe Harris declined to confirm the port’s number of ZPMC-made cranes, although the port has announced purchases and arrivals of ZPMC cranes over the past few years.

The American Association of Port Authorities disputes the existence of a threat. “There have been no known security breaches as the result of any cranes at U.S. ports, despite alarmist media reports,” the association said in a statement. “Further, modern cranes are very fast and sophisticated, but even they can’t track the origin, destination or nature of the cargo.”

Operational technology devices such as cameras, weight sensors and safety sensors are often integrated into equipment systems and are largely the cause for defense officials’ concern around ZPMC’s cranes, said Chris Wolski, a former information security officer for Port Houston.

Potential espionage scenarios include using a crane’s camera system to view a container’s serial number and determine where a container was loaded in order to track it, he said. A bad actor could also disable crane systems and stop cargo operations by overriding safety sensors or causing false readings. “Things like that, if they’re not under control or could be remotely controlled by another party, then you can have potential security concerns,” Wolski said.

Gathering materiel shipment data — origins, destinations and manifests — wouldn’t provide much useful information, said Lonnie Henley, a retired intelligence officer and a senior fellow with the Foreign Policy Research Institute’s Asia program. “If I had information like that and had all the processing power in the world, I’m still not sure what military operational benefit I can gain from it,” he said, adding that clandestine shipments would likely already have obfuscated manifests.

In January, the Port of Virginia announced it had finalized the purchase of five ZPMC-manufactured cranes for $61.6 million. Delivery is set for December 2024, and the 1,827-ton cranes will replace two existing units at the Virginia International Gateway and three in the South Berth at Norfolk International Terminals. Able to handle ultra-large container vessels, the new cranes can reach across a vessel that is 26 containers wide, about three to four containers farther than most cranes can reach.

The Port of Virginia first began using ZPMC cranes in 2000. The Newport News Marine Terminal’s crane, which has been in service since 1982, appears to be the only crane at the port made by a different manufacturer — Crane Materials International (CMI). Harris did not answer a request for confirmation that the Newport News terminal’s crane is the sole one made by a manufacturer other than ZPMC.

In October 2022, the Virginia Port Authority sold three ZPMC ship-to-shore cranes and their replacements parts to Haina International Terminals, the operator of the Río Haina Port in the Dominican Republic, for $50,000 for each crane and $50,000 for associated replacement parts.

By the end of 2023, the U.S. Department of Transportation’s maritime administrator, working with the Department of Defense and others, is required to produce an unclassified study examining whether cranes from foreign manufacturers pose security risks to American ports. The requirement comes from part of the $850 billion National Defense Authorization Act passed in December 2022.

Heightened U.S.-China tensions

The reported security concerns about the cranes come amid a time of heightened tensions between the U.S. and China, whose foreign ministry spokesperson said on Monday that U.S. concerns about ZPMC cranes were “complete paranoia.” In February, the U.S. Air Force shot down a balloon off the coast of South Carolina that Biden administration officials identified as a Chinese high-altitude surveillance balloon. The U.S. began tracking the balloon’s progress on Jan. 28 as it crossed from Alaska to Canada to Idaho and the East Coast.

On Tuesday, a group of 12 bipartisan senators led by U.S. Sen. Mark Warner, D-Virginia, chairman of the Senate Select Committee on Intelligence, and Sen. John Thune, R-South Dakota, introduced legislation that would allow the Department of Commerce to review and prohibit “transactions involving information and communications technology products in which any foreign adversary has any interest and poses undue or unacceptable risk to national security.” The Restricting the Emergence of Security Threats that Risk Information and Communications Technology (RESTRICT) Act could ultimately allow the executive branch to ban TikTok.

In his opening statement for the Senate Intelligence Committee’s open hearing on worldwide threats on Wednesday, Warner said, “The [People’s Republic of China] has … become an active player in the international technology standards-setting bodies and is embedding itself in global supply chains. All this is why the United States must aggressively invest in the talent, tools and research to lead in tomorrow’s technologies.”

In late February, the Biden administration was considering revoking U.S. suppliers’ export licenses for sales to Chinese telecom company Huawei Technologies Co. The federal government has previously banned other Huawei products for sale and import in the U.S. over concerns that the devices could be used by Beijing for espionage.

In January, Youngkin confirmed he had pulled Virginia out of consideration for a $3.5 billion Ford Motor Co. electric vehicle battery plant, citing concerns over the involvement of China-based Contemporary Amperex Technology Ltd. (CATL), which would operate the plant. In February, Ford announced it would build the plant in Michigan.

ZPMC has about 70% of the world market share for large-scale cranes for handling port containers and bulk materials like ore and coal, according to its website, and its products have entered 104 countries. Nearly 80% of the cranes in use at U.S. ports are made by ZPMC, according to The Wall Street Journal.

No cranes comparable to ZPMC’s are manufactured in the U.S., The Wall Street Journal reported, and an alternative used by some U.S. ports from Finnish company Konecranes costs about a third more. The AAPA advocates for government support for U.S. production of port equipment and plans to unveil a bill outlining its envisioned support at its summit later this month.

One step port authorities can take to mitigate risks from foreign-made technology, Wolski said, is conducting a post-delivery systems check including examining the system code and eliminate places for potential backdoor access. “Anything that’s connected to a computer network is vulnerable to a cyberattack,” Wolski said. “It’s a matter of how well they’ve set up the defense for the cybersecurity of the organization and of the equipment.”

Some ports also mitigate risks by using software from Swiss company ABB Ltd. with the cargo cranes instead of using ZPMC’s software, according to The Wall Street Journal. Harris did not respond to a request about which software the Port of Virginia runs on its cranes.

Nevertheless, the Port of Virginia appears to already be taking cybersecurity precautions around the cranes, according to a statement from Harris: “Before any new cranes are put into service, they are subject to a detailed forensic cyberanalysis that is performed by one of the nation’s federal law enforcement agencies. New cranes awaiting analysis are isolated with dedicated firewalls to ensure there is no contact with port networks or the internet.”

Editor’s note: This article has been amended to reflect the total possible number of ZPMC-made cranes used by the Port of Virginia.