Senators worry that new D.C. Metro railcars could carry cyber risk

The lawmakers exhorted the subway system's leadership to “take the necessary steps to mitigate growing cyber risks" to new railcars that could be produced by a Chinese company.
Washington D.C. Metro Maryland Virginia subway
A station in Washington, D.C.'s Metro system. (Thomas Dwyer / Flickr)

Senators who represent the Washington, D.C., area have raised concerns about added cybersecurity risks in the region’s Metro system after reports that a Chinese state-owned manufacturing company could win a $1 billion procurement for railcars.

The four Democrats – Sens. Mark Warner and Tim Kaine of Virginia, and Ben Cardin and Chris Van Hollen of Maryland – wrote to the Washington Metropolitan Area Transit Authority expressing their “serious concerns” of possible foreign bidding on the project, “particularly when it could involve foreign governments that have explicitly sought to undermine our country’s economic competitiveness and national security.”

The Jan. 18 letter to WMATA CEO Paul J. Wiedefeld, the lawmakers exhorted him to “take the necessary steps to mitigate growing cyber risks to these cars.” The worry is that technology in the transit system, including video surveillance cameras and the automated aspects of railcars, could be a target of spies or hackers.

The state-owned China Railway Rolling Stock Corp. “is expected to be a strong contender” for a Metro contract likely worth over $1 billion for between 256 to 800 new railcars, The Washington Post reported Jan. 7.


U.S. intelligence officials and lawmakers regularly allege that the Chinese government could leverage technology deployed by Chinese companies to spy on Americans or introduce other vulnerabilities to infrastructure. Chinese companies have routinely denied those allegations.

Metro is planning on amending an earlier request for proposals for the railcar project to include cybersecurity protocols, according to the senators. The lawmakers want to know how rigorous these protocols are, and if Metro will consult cybersecurity experts at the departments of Homeland Security and Transportation when evaluating project bids.

In a reference to China, the senators asked Wiedefeld if Metro will consider a company’s ties to foreign governments with a history of industrial and cyber-espionage when assessing bids, and whether the transit authority will allow a railcar’s sensitive components to be sourced from such countries.

For the senators, federal oversight of the Metro railcar project is key. They want to know if Metro officials have been briefed by DHS or other agencies on foreign hackers’ probing of U.S. critical infrastructure. The lawmakers also ask if Metro will consult with defense officials before allowing foreign-government-built railcars to stop at the Pentagon, which is part of the Metro system.

In a statement, Wiedefeld said he had received the letter and would respond to the senators as soon as possible.


“We recognize the important national security concerns being raised, and we are working to strengthen this procurement and others with new cybersecurity requirements,” Wiedefeld said. “While we have a fiduciary responsibility with all procurements, safety and security is always our first priority.”

Metro, which has been losing $400,000 a day because of the government shutdown, is doing a series of cybersecurity audits designed to make it less vulnerable to hacking, according to The Post. A classified inspector general report presented to the Metro board last June found “opportunities for improvement” in how the agency detects and remediates malicious cyber activity, the newspaper reported.

You can read the full letter below.

[documentcloud url=”” responsive=true]

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts