Our defense industrial base depends on supply chains freely moving into and through the U.S. But while adequate cybersecurity safeguards are in place to protect our most advanced defense systems, the movement of cargo in and out of U.S. ports and the technology that powers our broader defense industrial base is less vigorously defended. This constitutes a critical vulnerability that our adversaries routinely exploit.
As China develops a modern, indigenous defense industrial base, it endeavors to better understand our own. Studies by the RAND Corporation have found that the People’s Liberation Army (PLA) is studying the logistical patterns of the U.S. military, as their Army, Navy, and Air Force face persistent challenges in logistics and maintenance as they seek to expand operations beyond their territorial waters. The Chinese intend to close this capabilities gap by any means necessary. Today, subcontractors in the logistics and cargo distribution industry are top targets for network intrusions. A 2014 probe by the Senate Armed Services Committee revealed that the Chinese government had hacked more than 20 transportation companies that serve U.S. Transportation Command (TRANSCOM). Even more disturbing, the Defense Department was aware of only two of these attacks.
China is also looking to acquire U.S. companies that possess valuable logistical data and access to sensitive government facilities and ports. In the first two months of this year, Chinese companies have pledged more than $102 billion for acquisitions in the U.S. While many of these create stronger and mutually beneficial economic linkages, other proposed or pending takeovers of U.S. companies by Chinese state-owned companies are far less benign.
For example, Zoomlion Heavy Industry Science and Technology Co. — picture a Chinese version of Caterpillar, the U.S. construction equipment manufacturer — has put forward an unsolicited takeover offer for Connecticut’s Terex Corporation. The state-owned Zoomlion has extensive ties to and contracts with various branches of China’s military. It established the Industrialization Base of the PLA’s National Emergency Transportation Equipment Engineering Research Center. And it claims to be “devoted to China’s military industry.”
On its face, the acquisition of a company best known for manufacturing cranes and forklifts might not be a cause for concern. But Terex manufactures specialized military equipment, such as MAC-50 all-terrain cranes customized for use by the U.S. Marine Corps. Its employees have access to ports and military bases — they service and maintenance MAC-50s in Afghanistan and Iraq — and to the computer networks of several branches of the Armed Services, the Defense Logistics Agency, and the U.S. Departments of Defense and Homeland Security, among others. If espionage and malicious hacking are a means toward getting the camel’s nose in the tent, acquisitions like Zoomlion’s allow the camel in the front flap.
Given these facts, why would Terex consider such an offer? In a word, profit. Generous financing from the Chinese government allows corporations like Zoomlion to outbid other suitors that might be more reliable from a national security perspective. And when shareholders see a higher bid, they are prone to tune out the national security implications.
Thankfully, Congress and policymakers have different priorities. When a pending takeover could place national security at risk, lawmakers have a responsibility to ask tough questions. Reuters recently reported that Terex has 97 priority-rated contracts — that is, contracts that are part of supply chains that the U.S. government must be able to access during a national emergency. Should Terex accept Zoomlion’s bid, policymakers must consider the probability that a crisis involving the U.S. and China could restrict access to those vital supply chains. Furthermore, policymakers must vet existing Terex contracts to ensure that none involve technical data controlled under the International Traffic in Arms Regulations (ITAR), which restrict exports of military items to a number of countries, China included. Beijing’s track record of espionage and cyberwarfare demands such vigilance.
The forthcoming implementation of President Barack Obama’s cybersecurity strategy provides an opportunity to apply high standards for private sector partners that manage logistics and transportation on behalf of government agencies. The Defense Department’s new Cybersecurity Discipline Implementation Plan, which seeks to reduce the points of vulnerability where adversaries can attack, is a step in the right direction. But beyond targeting our cyber vulnerabilities, deals like Zoomlion’s bid for Terex demonstrates how our strategic competitors also attempt to acquire the infrastructure itself. Therefore, Congress must work with the Administration to ensure that the Committee on Foreign Investment in the U.S.(CFIUS) – which is charged with reviewing and, if necessary, blocking foreign acquisitions of U.S. companies – has the necessary capacity and funding to adequately vet the current influx of foreign investment. Senator Sherrod Brown of Ohio underscored this concern in a recent letter to Treasury Secretary Jack Lew, who chairs CFIUS. And given China’s continued attention to the movement of goods in and out of U.S. ports, as well as more immediate threats to critical infrastructure by foreign hackers, CFIUS’ leadership should be expanded to include the Secretary of Transportation.
Policymakers must take a holistic view when safeguarding the broader array of vulnerabilities of the U.S. defense industrial base – from planes to cranes and everything in between.