U.S. President Joe Biden has signed an executive order that creates new rules to bolster security at American ports, while also committing $20 billion to shift away from the use of Chinese-made cranes that officials are at risk of being seized remotely and shut down.
The rules follow a warning from FBI Director Christopher Wray last month that Chinese hackers had burrowed into key American infrastructure and were waiting to "wreak havoc" if ordered by Beijing, potentially to try to break public support for the U.S. defense of Taiwan.
Biden signed the executive order on Wednesday. On Tuesday night, officials told reporters the decision was made due to fears that hackers could cause economic and social chaos by seizing and disabling the advanced cranes used at ports around the United States.
“America’s prosperity is directly linked to maritime trade,” the White House said in a statement, noting that ports were a conduit for $5.4 trillion worth of economic activity a year, employed some 31 million Americans and received 95% of all cargo imports.
But Rear Adm. Jay Vann, commander of the U.S. Coast Guard Cyber Command, told reporters that more than 80% of the “ship-to-shore” high-tech cranes used at American ports were made in China and used Chinese software, leaving them “vulnerable to exploitation.”
“By design these cranes may be controlled, serviced and programmed from remote locations,” Vann said, adding that about 200 of such cranes were used in the United States, with about half of them having been inspected by authorities so far for security vulnerabilities.
The remote shut down of the cranes could “cause cascading impacts to our domestic or global supply chains,” he said, with operators unable to move imports or exports, creating massive shortages of goods.
New rules
Biden’s executive order will force port operators to report to the Department of Homeland Security any cases in which cyber crimes, or even threats of crimes, “endanger” any shipping vessel or port.
The U.S. Coast Guard, meanwhile, will enforce a new directive on “cyber risk management” for ports that use the Chinese-made cranes, which the White House says is aimed at “addressing several vulnerabilities that have been identified” by federal agencies.
Coast Guard authorities will be empowered to conduct inspections of port facilities and ships and even stop the movement of vessels deemed security threats. The moves give the Coast Guard “clear authority to take action in the face of cyber threats,” Vann said.
That will work as a stopgap until more of the advanced cranes are produced by an American subsidiary of Japanese crane maker Mitsui E&S. The $20 billion will come from the $1 trillion infrastructure bill Biden signed in 2021 and from the 2022 Inflation Reduction Act.
The efforts point to an increased focus by U.S. officials on the risk of foreign hackers attacking America without coming anywhere near it.
Officials point to the May 2021 attack on the Colonial Pipeline as an example of the chaos that can be caused by cyber attacks. That attack shut down gas supplies to much of the U.S. eastern seaboard for nearly a week before a $4.4 million ransom was paid out in BitCoin.
Ports have been the targets of similar threats, though, with Japan's Port of Nagoya last year hit by a ransomware attack by hacking group LockBit that shut down its ability to process imports and exports.
LockBit was last week infiltrated by a global law enforcement campaign led by the United States and United Kingdom, with arrests in Eastern Europe and the seizure of hundreds of cryptocurrency accounts.
On Wednesday, the U.S. State Department also announced a $15 million reward for information about the group's leadership.
Crane envy
U.S. authorities, though, appear to view state-backed hacking of key infrastructure as the most likely source of a cyber attack on ports.
The worldwide crane market is currently dominated by China’s Shanghai Zhenhua Heavy Industries Company, often known as ZPMC, which has recently come under scrutiny from U.S. lawmakers.
ZPMC claims to control 70% of the worldwide crane market, according to a Wall Street Journal report, and a 2021 report by the Pentagon said that the widespread use of the company's cranes could potentially help Beijing track the movement of sensitive U.S. military hardware.
Last month, a group of prominent Republican lawmakers in the U.S. House of Representatives said they wanted to probe an “alarming security vulnerability” on some ZPMC cranes sold to American port operators, which they said had created potential “cybersecurity risks, foreign intelligence threats, and supply chain vulnerabilities.”
The Jan. 16 letter was signed by Homeland Security chairman Mark Green of Tennessee, Select Committee on China chairman Mike Gallagher of Wisconsin, Transportation and Maritime Security chairman Carlos Giménez of Florida and Counterterrorism, Law Enforcement and Intelligence chairman August Pfluger of Texas.
However, Beijing has hit back against the claims that ZPMC or other Chinese companies represent a threat to U.S. cyber security.
Chinese Foreign Ministry spokesman Wang Wenbin on Jan. 22 accused the U.S. lawmakers and leaders of seeing “anything advanced from China” as a “threat [that] must be stopped by all means.”
“From accusing Chinese I.T. manufacturers of leaving ‘backdoor’ in their products to calling Chinese cranes ‘Trojan horse’ that collect intelligence, and to blaming China-produced E.V. cells for harming U.S. national security,” Wang said.
“Some U.S. politicians have been blowing up the bubble of ‘China threat’, while exposing their real aim of suppressing China’s development in the name of national security,” he said.