Last week, U.S. President Joe Biden’s administration rolled out a coordinated set of efforts to mitigate cybersecurity risks to U.S. port infrastructure and supply chains. These plans included an ambitious, international project to improve U.S. manufacturing competitiveness in a strategic sector: port equipment.
The primary and explicit motivation for these actions, according to national security officials, arises from the complex threat posed by the People’s Republic of China (PRC). However, even the fairly strong remedies proposed are likely to fall well short of the mark without extraordinary compliance from unenthusiastic commercial actors. There is also no timeline for producing a viable, technical substitute for China’s outsized role in U.S. maritime transport systems.
The administration’s efforts should be assessed in the context of its wider push to protect vital supply chains and diminish the growing risk of attacks on critical infrastructure. The key new element introduced last week was a presidential executive order and its finding “that the security of the United States is endangered by . . . persistent and increasingly sophisticated malicious cyber campaigns” targeting American ports. The order establishes new regulatory authorities for the Department of Homeland Security and authorizes U.S. Coast Guard officials to create new rules imposing minimum cybersecurity requirements for port users. It further empowers the Coast Guard to inspect and control vessels and shoreside activities on the basis of even “suspected cyber threat.”
The White House paired these security-focused restrictions with a large economic inducement: some $20 billion in spending to onshore the manufacturing capacity necessary to replace ubiquitous PRC-made cranes with a U.S.-made substitute. The centerpiece of the effort is a major grant to PACECO Corp., the U.S. subsidiary of a Japanese industrial conglomerate, which is meant to establish a new facility and partner with other international firms that can provide manufacturing capabilities that have not been resident in the U.S. private sector for decades. Five years of funding were made available from the Inflation Reduction Act and Infrastructure Investment and Jobs Act, with no announced time frame for implementation.
Significant action on Chinese cranes in U.S. ports has been on the horizon for several months. The 2023 National Defense Authorization Act required the Maritime Administration to lead an interagency study on the cranes’ security threats. Several House members have championed the issue, and the China Select Committee has initiated a series of hearings and investigations of commercial actors contracting with PRC entities that produce and service equipment for U.S. ports. A range of studiesconducted by government and private actors have established a need for further action.
The central, practical concern is how to control risk from the dominant role of ship-to-shore gantry cranes made by a single manufacturer, the Zhenhua Heavy Industries Company (ZPMC), a major PRC state-owned engineering enterprise. These cranes make up some 80 percent of U.S. container cargo-handling equipment. This commanding market share did not appear overnight, and toppling this near monopoly will be a tall order, given these existing cranes’ essential role in existing U.S. maritime transport systems. Cranes of this sort have not been manufactured in the United States for thirty years.
More than 200 Chinese-manufactured cranes are operating in the United States today, but only ninety-two have been subjected to any security evaluation by U.S. officials. These cranes are sophisticated digital systems that handle sensitive data about containers and their contents, origins, and destinations. They integrate directly into port community platforms and other IT systems. The scale and price that Chinese firms offer is unmatched on the global market: China commands an 80 percent market share, with their main ship-to-shore cranes costing about $12 million apiece, when purchased in bulk. These sophisticated systems arrive fully assembled and sealed on specialized barges with their sensors, operating software, and application programming interfaces intact—and, by design, connected to PRC systems.
According to a Maritime Administration advisory on last week’s executive order: “[ZPMC] cranes may, depending on their individual configurations, be controlled, serviced, and programmed from remote locations.” Equipped with a range of sensors to observe and record both physical and digital flows, the cranes provide an extraordinary centralized network for acquiring business intelligence that also creates collection opportunities on the military cargoes and personnel that routinely use commercial terminals. If the cranes were to malfunction or cease to operate normally, they could cripple U.S. transportation capacity, creating dangerous shortages and cascading supply chain failures. Such disruptive scenarios are no longer science fiction, as observed in recent cyber attacks like Volt Typhoon, a massive PRC exploitation of U.S. critical infrastructure IT systems, and the complete operational shutdown at DP World port facilities in Australia.
Given the perceived urgency of these threats, U.S. officials stressed that the new measures are a “requirement rather than a request,” based in part on broader Coast Guard regulatory authorities at U.S. ports. The measures are in keeping with expectations after the 2020 National Maritime Cybersecurity Plan identified alarming gaps in U.S. agency responsibilities for maritime network security. That plan also flagged problems stemming from a lack of oversight of port operators on both cybersecurity and critical infrastructure purchases. Some port operators and industry voices have already chimed in with supportive words and nominal eagerness to comply.
So far, however, the risks do not seem to have captured the imagination of industry in ways that will lead it toward much more than paper compliance with an increasingly burdensome cybersecurity regime. In the wake of the administration’s announcement, the Virginia Port Authority welcomed the measure but noted that all twenty-seven of its ship-to-shore cranes were made by ZPMC, with four more on order. The American Association of Port Authorities stated that they “understand the potential risks that come with operating Chinese-made equipment and have taken steps to mitigate that risk.” Individual ports have for some time been “aware of the concerns regarding ZPMC,” but they thus far remain only in cautious “dialogue” with the U.S. government.
Given deep dependence on China in the maritime transportation sector—not only for port equipment but also for shipbuilding, shipping, containers, and sheer merchandise trade volumes—commercial actors are understandably reluctant to price in any major disruption or voluntarily take actions that will cause operational or financial hardship. Yet this set of executive actions also underscores the reality that national security policy is going to make an increasingly profound and costly imprint on the ports and shipping sector. The trend toward a more rigorous inspection and control regime over private assets, onerous new reporting requirements, and the costly replacement of ZPMC cranes is not an attractive business prospect. The laudable long-term policy to invest in U.S. manufacturing competitiveness in this arena does little to address the pain that will be felt by port operators and shippers in the short and medium terms, as ever-more-severe restrictions are rolled out on various elements of private U.S. commercial engagement with the PRC.
Deteriorating U.S.-China relations—and the prospect of worse yet to come—make this problem a moving target for industry. Businesses would be rational to expect further hardships to come under the banner of national security policy from any administration in Washington. Priorities on cybersecurity, critical infrastructure, and supply chain resilience in the context of “strategic competition with the PRC” are likely to trump commercial considerations. The new measures may not be sufficient to fully protect critical port infrastructure or produce an indigenously manufactured answer to Chinese products, but they are an important signal of a securitized new era in which perceived national security risk is winning out over tangible economic interest.
Thanks to Sarah Camacho for research assistance.