President Joe Biden issued an executive order Wednesday addressing cybersecurity and espionage concerns over Chinese-made cranes in use at U.S. ports, including the Port of Virginia. Additionally, the Biden administration announced a plan to invest $20 billion on infrastructure security at U.S. ports, including support for domestic manufacturing of ship-to-shore cranes.
National security concerns about espionage and other cyber crime risks associated with ship-to-shore cranes manufactured by Shanghai Zhenhua Heavy Industries Co., known as ZPMC, became public in March 2023 following a report from The Wall Street Journal. ZPMC is owned by the Chinese government, and its major shareholder is China Communications Construction Co.
In a press briefing on Tuesday, Rear Adm. John Vann, commander of the U.S. Coast Guard Cyber Command, said: “The People’s Republic of China-manufactured ship-to-shore cranes make up the largest share of the global market and account for nearly 80% of cranes at U.S. ports. By design, these cranes may be controlled, serviced and programmed from remote locations. These features potentially leave PRC-manufactured cranes vulnerable to exploitation.”
Federal officials would not disclose if there have been any known cybersecurity incidents associated with the ZPMC cranes.
The issue is so critical, Vann said on Tuesday, because “America’s system of ports and waterways accounts for over $5.4 trillion of our nation’s annual economic activity, and our ports serve as a gateway for over 90% of all overseas trade.”
All 27 of the Port of Virginia’s ship-to-shore cranes were manufactured by ZPMC, according to Cathie Vick, the Virginia Port Authority’s chief development and public affairs officer. The port also has four cranes on order from ZPMC that will be delivered to the Virginia International Gateway terminal in December 2024 and another four cranes that will be delivered to Norfolk International Terminals in August 2025, Vick said Wednesday.
Biden’s executive order expands the Coast Guard’s authority to address cybersecurity concerns. Additionally, the Coast Guard will issue a maritime security directive listing risk management steps for owners and operators of Chinese-made ship-to-shore cranes.
“Before any new cranes are put into service they are subject to a detailed forensic cyber analysis that is performed by one of the nation’s federal law enforcement agencies,” Vick said in a statement. “New cranes awaiting analysis are isolated with dedicated firewalls to ensure there is no contact with port networks or the internet.
“At the Port of Virginia, we take the issue of cybersecurity very seriously and work continuously to protect our operations against outside threats,” Vick continued in the statement. “As part of this effort, we undertake regular cybersecurity exercises that include close collaboration with several federal entities [and] partners in Hampton Roads to ensure readiness for multiple types of cyber events or threats. We are confident that our protocols will satisfy the requirements of the executive order.”
Biden’s executive order broadens the Coast Guard’s authority to address cyber threats, including granting the authority “to control the movement of vessels that present a known or suspected cyber threat to U.S. maritime infrastructure,” according to the White House.
Some of the cybersecurity regulations implemented in the executive order, including mandatory reporting of cybersecurity incidents or active cyber threats and inspections of relevant vessels and facilities, were already voluntarily included in the Port of Virginia’s protocols, Vick said.
The Biden administration will also direct more than $20 billion to port infrastructure investments over the next five years, including supporting domestic manufacturing of cranes, according to a White House news release. That will include funding to help Paceco, a U.S.-based subsidiary of Japanese company Mitsui E&S Co., to manufacture ship-to-shore cranes in the United States. Paceco previously manufactured cranes in the U.S. from 1958 until the late 1980s, according to the White House.
Currently, no cranes comparable to ZPMC’s are manufactured in the U.S., according to reporting from The Wall Street Journal, and an alternative crane used by some U.S. ports from Finnish company Konecranes costs about a third more.
Speaking to reporters Tuesday, Anne Neuberger, U.S. deputy national security advisor for cyber and emerging technologies, said that the administration is not looking at a “rip and replace” strategy for ship-to-shore cranes already in use, but instead was focused on setting cybersecurity requirements “to secure the existing infrastructure” and to also make sure that ports “can go [back] to buying trusted cranes and to bringing back [crane] manufacturing to the United States, given how important cranes are to port operations.”
At this time, the Virginia Port Authority does not have plans to replace its ZPMC-made cranes, and port officials have not had any discussions with the federal government about that, Vick said.
Neuberger said that while the executive order “certainly ties to particular concerns about Chinese cyber activity, we also have concerns regarding criminal activity.” She cited a criminal ransomware attack that disrupted the Port of Nagoya in Japan for more than two days in July 2023.
There have been no reports of cybersecurity breaches affecting Port of Virginia cranes, according to Vick. The federal government has not alerted the port to any instances of cranes in Virginia being used for espionage.
“We are confident that all of the cranes owned and operated by the Port of Virginia are safe and secure and will already comply with the parameters set forth in the executive order,” Vick said in a statement. “We employ best practices and will continue to collaborate with multiple federal law enforcement agencies to ensure the equipment we purchase, own and operate is here for its intended use, which is to move cargo.”