Skip to main content
Complete Olympic Games coverage at your fingertips
Your inside track on the Olympic Games
Enjoy unlimited digital access
$1.99
per week for 24 weeks
Complete Olympic Games coverage at your fingertips
Your inside track onthe Olympics Games
$1.99
per week
for 24 weeks
// //

A surveillance camera is seen in front of a Huawei logo in Belgrade, Serbia on Aug. 11, 2020.

MARKO DJURICA/Reuters

A Huawei-built data centre in Papua New Guinea is a “failed investment,” that country’s government says, after a technical review found serious security vulnerabilities in what was designed to be an important piece of the country’s digital infrastructure.

Dated encryption technology and the placement of some devices in the centre meant that “data flows could be easily intercepted,” according to a review commissioned by Papua New Guinea’s National Cyber Security Centre and obtained by The Globe and Mail. The security centre receives funding from Australia’s Department of Foreign Affairs and Trade. Canberra was given a copy of the report, whose findings were first reported by the Australian Financial Review.

The report details numerous technical deficiencies in the National Data Centre, including firewall devices “with basic settings for defence”; the use of 3DES, a 1995-era encryption standard “considered openly broken since 2016”; and the installation of core switches outside firewalls, which means “remote access would not be detected.” The physical configuration of the data centre was different from the schematics for its design, and the differences made it more vulnerable to hacking.

Story continues below advertisement

The data centre was financed by a US$53-million loan from the Export-Import Bank of China and designed by engineers from Huawei Technologies Co. Ltd. Its deficiencies have renewed questions about the trustworthiness of Huawei technology at a time when Ottawa and other Western capitals are mulling whether to allow equipment from the Chinese company in 5G networks.

“To some extent, we can conclude that it truly is a failed investment,” Timothy Masiu, Papua New Guinea’s Minister for Information and Communication Technology, said in a statement on Thursday. He suggested looking instead to cloud storage from companies like Amazon.com Inc. and Microsoft Corp., before cautioning against geopolitical point-scoring over digital infrastructure. “Our national issues are our business, and must not be used to fit any other narrative,” he said.

Outside Papua New Guinea, however, the problems with the data centre add to concerns about the security of technology made by a company headquartered in China, where the law compels organizations and citizens to “support, assist and co-operate” with the country’s intelligence apparatus.

The United States, the U.K. and Australia have to varying degrees banned Huawei’s 5G technology.

Last year, the UK’s Huawei Cyber Security Evaluation Centre oversight board faulted Huawei more broadly for problems with “basic engineering competence and cyber security hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors.” In April, 2019, Ian Levy, the technical director of the National Cyber Security Centre in the U.K., told the BBC that “the security in Huawei is like nothing else – it’s engineering like it’s back in the year 2000 – it’s very, very shoddy.”

Huawei was also the main digital supplier to the Chinese-built African Union headquarters, where, for five years, data were transferred to servers in Shanghai, according to reports in Le Monde Afrique and The Financial Times. Officials have denied such problems existed, and Huawei has said that if any data leaked, it wasn’t from the company’s equipment.

Still, such problems point to “a relatively immature … security culture in the company,” said Christopher Parsons, a senior research associate at The Citizen Lab, which specializes in communications and security studies at the Munk School of Global Affairs and Public Policy.

Story continues below advertisement

In Papua New Guinea, “some of the issues being raised are not particularly advanced problems to have identified and then remediated,” Mr. Parsons said. “The fact they weren’t is unfortunate, and speaks poorly of the security culture that Huawei has.”

Huawei did not offer an on-record response to detailed questions about the Papua New Guinea data centre from The Globe. It told the Australian Financial Review: “This project complies with appropriate industry standards and the requirements of the customer.”

Huawei has a deep foothold in Papua New Guinea. The company built 4G networks for the country, a high-speed broadband network, and a network of submarine cables to connect coastal settlements. At least one local community complained that excavators used to lay underwater cable broke reefs.

Huawei was also the contractor for a national identity project that includes an electronic identification (e-ID) system backed by a database. That database, service for which has occasionally been interrupted for days, is at the National Data Centre.

The company’s importance to Papua New Guinea means trouble with the data centre is “a very sensitive issue,” the Ministry of Information and Communication Technology said in a chat message.

In Beijing, foreign ministry spokesman Zhao Lijian said the “Chinese government always requires Chinese companies, in their overseas operations, to strictly follow international regulations.” But, he said, the Chinese government firmly opposes “some foreign media’s malicious discussions about the data centre.”

Story continues below advertisement

In Papua New Guinea, security vulnerabilities have become less of a concern than disrepair. The data centre has a slow internet connection, and some of its components – including backup batteries and an e-mail server – are broken. Software licences have expired, and the report says local authorities do not have enough funds to properly maintain the centre.

As a result, it “is not currently used by a significant portion of the government of PNG,” the report found. “It is assessed that a full rebuild would need to occur to modernize the facility.”

Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.

Your Globe

Build your personal news feed

  1. Follow topics and authors relevant to your reading interests.
  2. Check your Following feed daily, and never miss an article. Access your Following feed from your account menu at the top right corner of every page.

Follow the author of this article:

Follow topics related to this article:

View more suggestions in Following Read more about following topics and authors
Report an error Editorial code of conduct
Due to technical reasons, we have temporarily removed commenting from our articles. We hope to have this fixed soon. Thank you for your patience. If you are looking to give feedback on our new site, please send it along to feedback@globeandmail.com. If you want to write a letter to the editor, please forward to letters@globeandmail.com.

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff. Non-subscribers can read and sort comments but will not be able to engage with them in any way. Click here to subscribe.

If you would like to write a letter to the editor, please forward it to letters@globeandmail.com. Readers can also interact with The Globe on Facebook and Twitter .

Welcome to The Globe and Mail’s comment community. This is a space where subscribers can engage with each other and Globe staff.

We aim to create a safe and valuable space for discussion and debate. That means:

  • Treat others as you wish to be treated
  • Criticize ideas, not people
  • Stay on topic
  • Avoid the use of toxic and offensive language
  • Flag bad behaviour

If you do not see your comment posted immediately, it is being reviewed by the moderation team and may appear shortly, generally within an hour.

We aim to have all comments reviewed in a timely manner.

Comments that violate our community guidelines will not be posted.

UPDATED: Read our community guidelines here

Discussion loading ...

To view this site properly, enable cookies in your browser. Read our privacy policy to learn more.
How to enable cookies