House members raise hacking fears with D.C. Metro over future fleet of railcars

Five members of Congress representing the D.C. region echoed fears on Monday about foreign adversaries gaining control of local infrastructure by winning the contract to build Metro’s future fleet of railcars.

Del. Eleanor Holmes Norton and Reps. Gerry Connolly, Jamie Raskin, David Trone and Anthony Brown — all Democrats — sent a letter to Paul Wiedefeld, Metro’s general manager, reiterating concerns raised by Senate counterparts recently about the agency’s ongoing effort to acquire hundreds of next-generation 8000-series railcars by 2024.

“As you know, critical infrastructure systems around the country have been increasingly targeted in recent years as part of coordinate hacking attempts and other forms of interference, often carried out by or at the direction of foreign governments,” the letter said.

“In the transportation sector, there has been increased interest from some of these same foreign governments, acting through state-owned intermediaries, to participate in state and local procurements, including those to manufacture and assemble railcars for transit agencies around the country,” the letter said. “While other cities have welcomed this investment, we have serious concerns about similar activity in the National Capital Region, particularly when it could involve foreign governments that have explicitly sought to undermine our country’s economic competitiveness and national security.”

Metro plans to purchase at least 256 of the 8000-series cars in order to replace older members of its fleet with newer cars equipped with modern technologies including automatic train and networks controls, high-definition security cameras, digital screens and “smart doors,” the agency announced in September.

More recently, four Democratic members of the Senate representing the D.C. area raised related concerns with Mr. Wiedefeld last month after a news report said that the state-owned China Railway Rolling Stock Corp. “is expected to be a strong contender” for the contract to provide Metro’s future fleet.

“Many of these technologies could be entirely susceptible to hacking, or other forms of interference, if adequate protections are not in place to ensure they are sourced from safe and reliable suppliers,” Sens. Mark Warner and Tim Kaine of Virginia and Ben Cardin and Chris Van Hollen of Maryland wrote Jan. 20.

“These technologies are susceptible to hacking or other forms of interference that could enable intelligence gathering and espionage, service disruptions or other activities detrimental to our national security,” the House counterparts echoed Monday.

In addition to raising cybersecurity concerns of their own, the lawmakers opposed to contracting abroad asked Metro whether it has received any related briefings from the Department of Homeland Security or whether it will consult with the military prior to making any purchases, particularly given the system’s proximity to Department of Defense facilities including the Pentagon.

“Metro continues to share the concerns expressed by Congress regarding cybersecurity, and we have taken the steps available within our control to address the matter,” Metro spokesman Dan Stessel told The Washington Times later Wednesday. “Specifically, Metro has amended the 8000-series procurement to include provisions addressing cybersecurity, including hundreds of technical requirements to ensure the integrity of all hardware and software following the NIST framework. We will also require that all code be reviewed for vulnerabilities and conduct full penetration tests of the completed railcars by an independent, DoD-cleared third party.

“As we have said consistently, the issues raised by Congress cannot be addressed through Metro’s procurement process alone, and we urge Congress to consider passing or amending federal law or regulations to address these concerns,” Mr. Stessel added. “Metro stands ready to fully assist Congress in this effort.”