White House security concerns about cranes affects Oakland's port

When three giant cranes were delivered to the Port of Oakland in March 2021, they were touted as the largest ship-to-shore cranes in North America, a towering marvel that would increase speed and efficiency.

They arrived at the SSA terminal from China, manufactured by ZPMC or Shanghai's Zhenhua Heavy Industries Company, linked to the Chinese government.

Now, the Biden administration is warning that ZPMC cranes could pose a cybersecurity risk.

In an Executive Order on Port Security, the White House announced on February 21st that it is taking steps to secure the nation's ports and supply chains.

The Biden Administration's actions include:

*A $20 billion dollar investment in U.S. crane production in partnership with PACECO Corp., a subsidiary of Mitsui E&S Co., Ltd of Japan that is based in the U.S.

*Requiring crane operators to address Information Technology (IT) and Operational Technology (OT) system vulnerabilities

*Mandatory reporting of maritime cyber incidents/threats

"You need to have confidence in the manufacturer and fundamentally, we don't have confidence in the Chinese manufacturers to do the right thing," said Herbert Lin, a Stanford Fellow with expertise in cybersecurity and national security.

Lin says the big concern is China could embed malicious code or spyware in the cranes' operating software, that could be nearly impossible to detect, allowing China to disrupt U.S. supply chains or gather data.

"They're now computer controlled," Lin said. "The concern, of course, is who is going to provide the programming for all those computers. Obviously, it's the manufacturers and the manufacturers are Chinese," Lin said.

In a rare show of bipartisan agreement, a Republican House Homeland Security Subcommittee praised the executive order as "the right move by the administration."

The Republicans also said, "ZPMC currently accounts for nearly 80% of the ship-to-shore cranes at U.S. maritime ports"

The committee also noted "the FBI has reportedly discovered intelligence collection devices on ZPMC cranes at the Port of Baltimore" according to a Wall Street Journal report.

Other West Coast ports are evaluating the risks.

The Port of Seattle and Tacoma says it is laying out a plan to address potential cyber spying.

The head of the Port of Los Angeles said it's unclear how China might use data it collects. He also said that finding other crane producers is a challenge.

Lin says it's important for consumers to recognize why the United States' economy is so integrated with China's, when weighing the cybersecurity risks and finding other options for manufacturing in the U.S.

"It's all in the end a question of cost. The reason we go to China is they offer the best performance for the lowest price," Lin said. 

Port of Oakland spokesperson Marilyn Sandifur issued the following news release: "All Port of Oakland’s container cranes have been part of the U.S. Department of Homeland Security (DHS) review. Many, if not most of the cranes at US West Coast container ports are made by ZPMC, including at Oakland. We have more than two dozen container cranes at the Port. We continue to work routinely with DHS and the US Coast Guard for any further actions if needed to ensure the safety and security of our maritime infrastructure. Port of Oakland cranes are designed and custom built to our specifications."

Correction: An earlier version of this story's headline misstated who had issued the warning about the cranes made by ZPMC. The warning came from the Biden administration.