A congressional probe of Chinese-built cargo cranes deployed at ports throughout the U.S. has found communications equipment that doesn’t appear to support normal operations, fueling concerns that the foreign machines may pose a covert national-security risk.
The installed components in some cases include cellular modems, according to congressional aides and documents, that could be remotely accessed.
The discovery of the modems by lawmakers, which hasn’t been previously reported, has added to concerns in Washington about port security and China. The Pentagon and intelligence officials at other agencies in the Biden administration have grown increasingly alarmed by the potential threat of disruption and espionage presented by the giant cranes built by ZPMC, a China-based manufacturer that accounts for nearly 80% of ship-to-shore cranes in use at U.S. ports.
The Chinese government “is looking for every opportunity to collect valuable intelligence and position themselves to exploit vulnerabilities by systematically burrowing into America’s critical infrastructure, including in the maritime sector,” said Rep. Mark Green (R., Tenn.), chairman of the House Homeland Security Committee, which has been investigating Chinese maritime security threats. “The United States has clearly overlooked this threat for far too long.”
Over a dozen cellular modems were found on crane components in use at one U.S. port, and another modem was found inside another port’s server room, according to a committee aide. Some of the modems had active connections to operational components to the cranes, the aide said.
While it isn’t unusual for modems to be installed on cranes to remotely monitor operations and track maintenance, it appears that at least some of the ports using the ZPMC-made equipment hadn’t asked for that capability, according to congressional investigators and documents seen by The Wall Street Journal. One port with modems told lawmakers in a December letter that it was aware of their existence on the cranes, but couldn’t explain why they were installed.
ZPMC, a Chinese state-owned company, didn’t respond to requests for comment. Liu Pengyu, a spokesman at the Chinese embassy in Washington, didn’t address specific questions about the modems but said claims that China-made cranes pose a national-security risk to the U.S. is “entirely paranoia” and amounted to “abusing national power to obstruct normal economic and trade cooperation.”
Concerns about ZPMC’s cranes have been building steadily in Washington for years. In 2021, the Federal Bureau of Investigation found intelligence-gathering equipment on board a ship that was transporting cranes into the Baltimore port, the Journal previously reported.
Last month, the Biden administration announced it would invest more than $20 billion over the next five years to replace foreign-built cranes with U.S.-manufactured ones. The money will go toward supporting the building of cranes by a U.S. subsidiary of Mitsui, a Japanese company, marking what officials said would create a domestic option for ports for the first time in 30 years.
The administration also rolled out a suite of maritime cybersecurity measures, which comes amid rising fears that Chinese hackers have been pre-positioning themselves to disrupt American critical infrastructure in the event of open hostilities, such as a military conflict over Taiwan.
Those actions by the Biden administration followed a Wall Street Journal investigation last year that revealed U.S. fears that cranes made by ZPMC in use at a number of America’s ports could present an espionage and disruption risk. More recently, there has been a surge of warnings from top U.S. officials about the potential threat to American lives posed by the infiltration of the nation’s critical infrastructure by Chinese hackers.
The new focus on cranes and broader maritime security “has been a wake-up call for many western countries,” Wille Rydman, minister of economic affairs for Finland, said in an interview. Finland, which joined the North Atlantic Treaty Organization last year, has been seeking to expand the market share of its maritime industry globally amid the rising concerns about Chinese technology supply chains.
The Finnish company Konecranes, for example, supplied four large container cranes to the port in Savannah, Ga., last summer. Biden administration officials say the Chinese cranes have security shortcomings that should worry ports. “We have found, I would say, openings, vulnerabilities, that are there by design,” Rear Adm. John Vann, who leads the Coast Guard cyber command, said during congressional testimony about the cranes to Green’s committee last week.
In a partially redacted December letter to the committee seen by the Journal, an unidentified U.S. port operator said that the modems weren’t part of an existing contract, but that the port had been aware of their installations on the cranes and that they were intended for a “mobile diagnostic and monitoring” service the port didn’t enroll in.
“We are unsure who installed the modems as they were on the cranes when we first saw them in China,” the letter to the committee said. The modems, according to the letter, were believed to have been installed around June 2017, around the time of the cranes’ manufacturing and assembly, and removed in October of last year.
It couldn’t be determined what prompted the port to take action on the modems or who did so. A committee aide said information collected by the panel indicated the modems had been physically disabled, but not yet fully removed.
“These components do not contribute to the operation of the (ship-to-shore) cranes or maritime infrastructure and are not part of any existing contract between ZPMC and the receiving U.S. maritime port,” the Republican-controlled committees said in a letter sent to the company last week.
The letter to ZPMC said that lawmakers found that many cranes at U.S. ports were built at the company’s Changxing base adjacent to a shipyard on the Shanghai island where the Chinese navy builds advanced warships. It also said lawmakers had learned from briefings with ports and U.S. law-enforcement agencies that ZPMC had repeatedly made requests for remote access to U.S.-based cranes and other maritime infrastructure.
ZPMC cranes entered the U.S. market around two decades ago, offering what industry executives described as good-quality cranes that were significantly cheaper than Western suppliers. In recent years, ZPMC has grown into a major player in the global automated-ports industry, working to connect equipment and analyze data in real time.
Green, the committee chairman, said that the additional components discovered on some cranes “are just one example of the worrisome findings in our investigation.”
The panel intends to finish its probe, which is being done jointly with the Select Committee on the Chinese Communist Party, next month. A public report will focus on ZPMC, its suppliers, and potential threats posed by equipment and technology at U.S. ports that were manufactured in China, a committee aide said.