A Florida lawmaker plans to propose legislation aimed at disincentivizing the purchase of Chinese container gantry cranes by port authorities and terminal operators, saying the cranes pose a cyberthreat to U.S. supply chains.
Speaking on Tuesday during a Capitol Hill hearing on maritime cybersecurity, Republican U.S. Rep. Carlos Gimenez, whose district is south of the Port of Miami, said he is concerned about software embedded in cranes purchased by the port from China that could include malware meant to penetrate port operating systems.
“The other concern I have is that whenever the Chinese want, they can cut off our supplies of spare parts” for the cranes, “which means that a significant part of our ability to load and offload ships would be compromised. I will be introducing legislation to try and wean us off these Chinese cranes and other infrastructure needs that may be coming from adversary nations.”
Gimenez did not provide details on how his planned legislation would work.
Cranes manufactured by China’s Shanghai Zhenhua Heavy Industries (ZPMC), which controls upwards of 70% of the world’s post-Panamax container crane market, according to some estimates, are popular at U.S. ports under pressure to expand their capacity to process growing container volumes.
Most recently, terminal operator SSA Marine purchased four super post-Panamax cranes from ZPMC that arrived at the Port of Seattle in June. Four similar cranes were delivered to the Port of Baltimore in September, purchased by terminal operator Ports America.
The hearing, held jointly by two subcommittees of the U.S. House Committee on Homeland Security, was the latest seeking to evaluate whether more regulatory oversight is needed to effectively address growing cyberthreats against transportation systems.
“Shocked by what we learned during their oversight of Colonial Pipeline and other recent high-profile cyber incidents, members of Congress have begun to question whether the federal government’s approach to cybersecurity — which relies primarily on voluntary partnerships — actually works, or whether some security requirements ought to be mandated,” the committees noted in a joint statement.
Scott Dickerson, who directs the Maritime Transportation System Information Sharing and Analysis Center Institute, a nonprofit whose members include ports, vessel owners and terminal operators, agreed with Gimenez’s theory that China is manipulating container crane markets through pricing to become world’s “sole provider” of large container gantry cranes.
“I think there is some undercutting of the market taking place,” he said at the hearing. “Maybe augmenting [legislation] with grant programs that could allow the [U.S.] private sector to reasonably make those investments would be helpful.”
But Dickerson also took issue with how the federal government is working with industry to combat cyber-risk.
“Currently this is not an effective system of public-private partnership and collaboration,” Dickerson testified. “It feels like industry is being threatened with additional regulation and security directives rather than being treated as the partners who own and operate the vast majority of critical infrastructure.”
He said that because of various intermodal connections at ports, terminals and other maritime facilities, his members are subject to multiple and overlapping regulatory requirements.
“As a result, limited resources are often spent on redundant checklists, meetings, reports and audits, as opposed to actively managing cyber-risk to critical infrastructure. It seems like every time we turn around there’s a new effort unveiled by a government agency, and often it seems to be repackaging elements of an older program with a new name.”
To improve the government-private sector relationship when it comes to cybersecurity — which includes improving maritime operators’ trust in how the government handles data collected before and after an attack — Dickerson provided the committee a list of recommendations for federal officials.
They included supporting private-sector practices that already address governmental needs and are proven effective for critical infrastructure. Also, the Cybersecurity and Infrastructure Security Agency should consider funding information-sharing analyst positions “to better facilitate the bi-directional flow of information across critical infrastructure.”