Posted on September 13, 2023
The House China Select Committee made a splash earlier this year. One of its first moves was to investigate Chinese cybersecurity risks in U.S. ports. Visiting the Port of Miami, committee members argued that the Chinese Communist Party could be spying on American ports through Ship-to-Shore (STS) cranes we buy from ZPMC—a Chinese state-owned enterprise. These cranes load and unload cargo from container ships, making them essential for America’s trade with the rest of the world.
The committee members’ investigation faced a basic problem, however: uncertainty about just how many Chinese cranes are in American ports in the first place. Now, we finally have an answer. Our first-of-its-kind analysis of public port infrastructure data found that nearly half the STS cranes used in the average American container port come from ZPMC. In some ports, such as Philadelphia’s, nearly every STS crane is produced by the ZPMC, the world’s biggest STS manufacturer.
Our reliance on Chinese cranes poses major threats to American national security. Through the crane’s software, the Chinese Communist Party (CCP) could spy on our ports and collect critical data contained in port IT systems. Chinese law gives the CCP the power to demand data collected by any Chinese company, and requires Chinese manufacturers to install software granting the CCP access to any equipment they produce. Together, these policies mean the CCP could easily use ZPMC’s cranes to collect sensitive data on our port system.
We’ve already had a preview of the economic disruption a cybersecurity hack could cause. When hackers targeted Colonial Pipeline in 2021, they disrupted gas distribution in the eastern U.S., creating a temporary national emergency. And this damage was caused by hackers just looking for a payout. A sophisticated foreign adversary could wreak even more havoc.
Concerns about ZPMC have been rightly growing for years. In 2019, the Trump administration planned to impose tariffs on all Chinese STS cranes as part of its broader pushback against China, but the final tariff list did not include cranes. Last year, Representative Carlos A. Gimenez (R-Fla.), recognizing our ports’ cyber vulnerabilities, introduced legislation to block the purchase of Chinese cranes in American ports. The FY2023 National Defense Authorization Act smartly required the U.S. maritime administrator to produce a study on whether foreign-made cranes pose a security risk to American ports.
Don’t take the government’s word for it, though. Port operators themselves have taken precautionary steps to secure their ports from potential Chinese meddling. The Port of Virginia, for example, has required the installation of American-made software in the port’s new ZPMC cranes and mandates inspections in China to ensure quality control and minimize potential intellectual property theft.
While Congress is getting serious on the issue, there are other actions the United States can take at home and abroad to strengthen port security. In the short term, the Department of Homeland Security should use the Port Security Grant Program to fund cybersecurity upgrades for American ports and assign the Cybersecurity and Infrastructure Security Agency to audit our maritime infrastructure.
In the long term, we must work to reduce our dependence on ZPMC—a change that’s been a long time coming. Despite STS cranes being an American invention, our domestic industry was crippled by offshoring, and ZPMC’s cranes have been the most common STS cranes purchased in the U.S. since 1999. To reduce our dependence on ZPMC, the U.S. should pursue “friend-shoring” efforts to purchase cranes from manufacturers based in allied nations, and mandate trusted software on the cranes.
The House China Committee took the crucial first step of asking the right questions about ZPMC’s role in our ports. Now, we have a clear answer: nearly half the cranes at the average American container port are manufactured by ZPMC. What comes next is the hard work of reducing our reliance on these cranes.
