The threat to U.S. critical infrastructure posed by foreign state-owned enterprises is real and America is not doing enough to inoculate itself against it and effectively manage the risk to our economic and national security.
The issue has come up repeatedly in connection with major U.S. rail and transit systems such as Boston, Chicago, Los Angeles, and Philadelphia. In these cases and others, China Railway Rolling Stock Corporation (CRRC) is building and supplying rail cars after outbidding the competition. Why does this matter? Because the potential for continuous and direct (adversary) access to U.S. railcars and transit systems is real. This means that the trains could be shut down, operations could be disrupted, knock-on effects could hit other critical U.S. infrastructure sectors, and major U.S. cities could experience significant economic effects.
The problem is that non-market economies like China’s skew the playing field: U.S. private enterprise has the deck stacked against it when up against bids that benefit from substantial state support. From the standpoint of resource-strapped U.S. local governments, the temptation to go with the lowest price is clear, but you get what you pay for — and in this context, the price of giving in to temptation is far too high.
Consider this: a Chinese foothold in the U.S. supply chain gives rise to a host of concerning possibilities – from computer network exploitation (spying), to intelligence preparation of the battlefield (mapping of critical U.S. infrastructure), to computer network attack. The foreign company need not even be a witting accomplice since Chinese laws oblige assistance and afford the state a pipeline into U.S. infrastructure.
If you think this is just about rail cars, think again. The transportation sector is like a hub that serves many spokes. Among them is the U.S. military, which relies to a certain extent upon civilian entities and functions in order to project U.S. power around the globe and execute defense operations. To compromise the transportation sector is to compromise mission assurance potentially. This is just one example of how national security and economic security are two sides of the same coin.
Another compelling illustration of this principle: 5G telecommunications technology from Chinese companies Huawei and ZTE. Here again, foreign state-owned enterprises and the advanced technologies they offer at relatively low cost pose a dilemma for the owners and operators of critical U.S. infrastructure. 5G is the foundation upon which next-generation networks worldwide will rest. Every sector and function that depends on telecommunications will in turn be affected by (who builds and contributes to) these networks. The stakes are high. Does it make sense, then, to build 5G on quicksand? The same holds true for the Internet of Things.
Moving forward smartly means integrating cyber equities into our thinking and practices at the time of conception and inception rather than retrofitting later on. The good news is that we are starting to move in this direction already. For example, legislation now requires that new public transit system railcars be subject to cybersecurity certification – and that a specific category of countries of concern be barred from participating in rolling stock procurement bids solicited by public transit systems. Notably, testing and analysis by a third party has proven successful in moving markets in other industries. We can and should extend this approach to other critical infrastructure sectors. At the same time, we must also think harder about how to better leverage market forces to incentivize security. This could include mechanisms to encourage suppliers to prioritize security as a differentiator in the products they produce.
Starting with the so-called Lifeline Sectors (the most critical of critical infrastructure: think defense, energy, and water, for instance) and the National Critical Functions identified by the National Risk Management Center, security concerns should be elevated and continuously assessed and managed. Scrutinizing supply chains is one piece of this exercise. Another is calibrating and synchronizing evermore finely the ongoing efforts of key players such as the FBI and NSA to better support our highest-priority critical infrastructure and national critical functions.
Admittedly, action will entail costs; but failure to act will ultimately come at a much greater price.
The need for speed and focus is clear. China is not dithering. It plans to double current research spending to reach $800 million. These funds are expected partly to underwrite recruitment efforts (the Thousand Talents Program) as part of a bigger play for strategic dominance. A key plank in that plan is “Made in China 2025,” which speaks to building domestic capacity in science and technology. However, this strategy is being powered by theft of U.S. intellectual property, the scale and scope of which is remarkable: the FBI has approximately 1,000 investigations underway (specific to China) – in all 56 of the Bureau’s field offices and encompassing almost every industry and sector. In short, U.S. companies and universities all across the country are targets.
Bottom line: China is executing a broad-based and ambitious strategy intended to serve the country’s economic, military, and political goals. America needs to do the same, urgently.