Senators caution WMATA against cyber threats in new rail cars

Four Democratic senators representing the Washington Metropolitan Area Transit Authority's (WMATA) service area are calling on the agency to mitigate cybersecurity risks as it seeks to procure new 8000-series rail cars.

In a letter sent late last week to WMATA General Manager and Chief Executive Officer Paul Wiedefeld, the senators raised concerns about potential security risks should the rail-car contract be issued to manufacturers funded by certain other foreign governments.

The lawmakers noted foreign governments' growing interest in participating in local and state procurements in the transportation sector, particularly in the production of cars.

For example, the China Railway Rolling Stock Corp. has used low bids to win four of five large U.S. transit car contracts since 2014, according to The Washington Post.

"While other cities have welcomed this kind of investment, we have serious concerns about similar activity happening here in our nation's capital, particularly when it could involve foreign governments that have explicitly sought to undermine our country's economic competitiveness and national security," the letter stated.

In September 2018, WMATA issued an RFP that called for the cars to include technologies such as automatic train control, network and timeline control, video surveillance, monitoring and diagnostics and data interface.

"Many of these technologies could be entirely susceptible to hacking or other forms of interference if adequate protections are not in place to ensure they are sourced from safe and reliable suppliers," the senators' letter stated.

They also pointed out that WMATA's RFP noted that there are "no Buy America or Disadvantaged Business Enterprise requirements for this contract, raising further questions about what protections will be in place to ensure the integrity of these components."

The letter calls on Wiedefeld to respond to a list of questions, including whether WMATA has received briefings from the U.S. Department of Homeland Security (DHS) and related agencies on "the attempts of foreign adversaries to infiltrate our critical infrastructure and the significant cyber vulnerabilities that can stem from them doing so."

They also call on WMATA to get approval from the DHS and the U.S. departments of defense and transportation before awarding a contract to a foreign adversary.

The senators have raised the issue of prioritizing cybersecurity measures in the past, they wrote. In response, Wiedefeld has stated that WMATA follows industry best practices to protect the agency from cyber attacks.

"We urge that you prioritize adopting robust cybersecurity protections, going beyond industry best practices if necessary, given the new threats that we now face and the unique nature of the threats facing the nation's capital," the senators wrote.

Signing the letter were U.S. Sens. Mark Warner (D-Va.), Tim Kaine (D-Va.), Benjamin Cardin (D-Md.) and Chris Van Hollen (D-Md.).