According to US intelligence, Beijing can throttle port traffic or gather intelligence on military equipment being shipped by using Chinese-made ZPMC cranes.
Earlier last week, the United States House Homeland Security Subcommittee on Transportation and Maritime Security, held a hearing to examine security vulnerabilities at US maritime ports amid increased cybersecurity threats from China. The said committee, for the last one year, as part of its investigation, has been focused on the penetration of Shanghai Zhenhua Heavy Industries (ZPMC), a Chinese state-owned enterprise, into the United States.
ZPMC is the world’s largest manufacturer of cranes and accounts for about 75% of the world-market share for container cranes. The figure of ZPMC for the US market stands at 80%. While an official estimate is not available, official sources and industry watchers in Delhi said that at least 280 such ZPMC made cranes were actively in operation at diverse ports across India including at Jawaharlal Nehru Port Trust (JNPT), the country’s largest container port.
No major port, without any exception, was functioning without having these cranes at its disposal. As per industry reports, of the 169 yard-cranes delivered in 2022 globally, ZPMC supplied 128 of them. As per US officials, who took part in the hearing, these cranes come with designed “vulnerabilities” that allow these to be controlled by people who are not in the vicinity of these cranes.
Rear Admiral John Vann, of Coast Guard Cyber Command, while responding to a question posed by the committee on whether ZPMC had installed malware, ransomware, or trojan horses in the software that run these cranes, answered in the affirmative. “What we have found in our operations aboard ZPMC cranes and the networks on the cranes, that connect to the cranes, and the shore side that communicate with the cranes, are either by design vulnerabilities of open connections, and again, I say by design, because oftentimes the monitoring of the cranes and the maintenance of the systems on board the cranes is done from a hub outside the port or in the port’s landside infrastructure and then communicated to the crane through a connection, so we have found, I would say, openings to vulnerabilities that are there by design. Our concern is with the vulnerabilities and the operators that operate these cranes being aware that those vulnerabilities exist and then considering the reporting that we’ve heard about PRC attempting to get on to critical infrastructure of these are obviously important nodes in our marine transportation system, sir. So [we] haven’t found that yet, but those vulnerabilities exist to be able to access what’s on the crane,” he said.
While no official confirmation or announcement has been made, it is reported that US military officials avoid ports where ZPMC cranes are in use whenever possible. In an assessment conducted by the US Defense Intelligence Agency in 2021, it was found that Beijing had the capabilities to throttle port traffic or gather intelligence on military equipment being shipped by using these ZPMC cranes. Incidentally, in September 2020, India terminated a $29.8 million contract it had placed with ZPMC for buying four so-called rail-mounted quay cranes (RMQCs) to be installed at Chabahar port in Iran.
According to Christa Brzozowski, a senior US bureaucrat with the Department of Homeland Security (DHS), the use of these Chinese cranes at ports had disrupted US trades across the world in a manner that Chinese manufactured goods were able to flow very smoothly, but American manufactured goods and trade were not moving as smoothly. The committee had last year sought a response from a Swiss company ASEA Brown Boveri Ltd (ABB) requesting details of the company’s relationship with ZPMC.
As a part of its communication, it had specifically asked whether ABB or anyone affiliated with ABB had ever cooperated in any way with China’s national intelligence, cybersecurity, or national security laws. To this, ABB had responded by stating, “ABB endeavors to comply with applicable laws in each jurisdiction in which it operates.”
The committee, while taking the response of ABB on records, stated that “The curt response is troubling and implies that ABB may have previously complied with the CCP’s authoritarian national intelligence, cybersecurity, or national security laws.” The committee had asked specifically ABB to consider installing its software and hardware in the United States once the ZPMC cranes arrived instead of being installed by ZPMC engineers in China. However, the company indicated that it cannot do this.
As a long term measure to move away from its reliance on the Chinese cranes, in February this year, the US government stated it would be investing more than $20 billion over five years to boost crane manufacturing in the United States. The Indian government, as officials told The Sunday Guardian, is yet to take into cognizance the dangers that these cranes could pose in case a confrontation starts between the two countries or the details that they are likely gathering and transferring illegally to unknown recipients.