A Huawei-built data centre in Papua New Guinea is a “failed investment,” that country’s government says, after a technical review found serious security vulnerabilities in what was designed to be an important piece of the country’s digital infrastructure.
Dated encryption technology and the placement of some devices in the centre meant that “data flows could be easily intercepted,” according to a review commissioned by Papua New Guinea’s National Cyber Security Centre and obtained by The Globe and Mail. The security centre receives funding from Australia’s Department of Foreign Affairs and Trade. Canberra was given a copy of the report, whose findings were first reported by the Australian Financial Review.
The report details numerous technical deficiencies in the National Data Centre, including firewall devices “with basic settings for defence”; the use of 3DES, a 1995-era encryption standard “considered openly broken since 2016”; and the installation of core switches outside firewalls, which means “remote access would not be detected.” The physical configuration of the data centre was different from the schematics for its design, and the differences made it more vulnerable to hacking.
The data centre was financed by a US$53-million loan from the Export-Import Bank of China and designed by engineers from Huawei Technologies Co. Ltd. Its deficiencies have renewed questions about the trustworthiness of Huawei technology at a time when Ottawa and other Western capitals are mulling whether to allow equipment from the Chinese company in 5G networks.
“To some extent, we can conclude that it truly is a failed investment,” Timothy Masiu, Papua New Guinea’s Minister for Information and Communication Technology, said in a statement on Thursday. He suggested looking instead to cloud storage from companies like Amazon.com Inc. and Microsoft Corp., before cautioning against geopolitical point-scoring over digital infrastructure. “Our national issues are our business, and must not be used to fit any other narrative,” he said.
Outside Papua New Guinea, however, the problems with the data centre add to concerns about the security of technology made by a company headquartered in China, where the law compels organizations and citizens to “support, assist and co-operate” with the country’s intelligence apparatus.
The United States, the U.K. and Australia have to varying degrees banned Huawei’s 5G technology.
Last year, the UK’s Huawei Cyber Security Evaluation Centre oversight board faulted Huawei more broadly for problems with “basic engineering competence and cyber security hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors.” In April, 2019, Ian Levy, the technical director of the National Cyber Security Centre in the U.K., told the BBC that “the security in Huawei is like nothing else – it’s engineering like it’s back in the year 2000 – it’s very, very shoddy.”
Huawei was also the main digital supplier to the Chinese-built African Union headquarters, where, for five years, data were transferred to servers in Shanghai, according to reports in Le Monde Afrique and The Financial Times. Officials have denied such problems existed, and Huawei has said that if any data leaked, it wasn’t from the company’s equipment.
Still, such problems point to “a relatively immature … security culture in the company,” said Christopher Parsons, a senior research associate at The Citizen Lab, which specializes in communications and security studies at the Munk School of Global Affairs and Public Policy.
In Papua New Guinea, “some of the issues being raised are not particularly advanced problems to have identified and then remediated,” Mr. Parsons said. “The fact they weren’t is unfortunate, and speaks poorly of the security culture that Huawei has.”
Huawei did not offer an on-record response to detailed questions about the Papua New Guinea data centre from The Globe. It told the Australian Financial Review: “This project complies with appropriate industry standards and the requirements of the customer.”
Huawei has a deep foothold in Papua New Guinea. The company built 4G networks for the country, a high-speed broadband network, and a network of submarine cables to connect coastal settlements. At least one local community complained that excavators used to lay underwater cable broke reefs.
Huawei was also the contractor for a national identity project that includes an electronic identification (e-ID) system backed by a database. That database, service for which has occasionally been interrupted for days, is at the National Data Centre.
The company’s importance to Papua New Guinea means trouble with the data centre is “a very sensitive issue,” the Ministry of Information and Communication Technology said in a chat message.
In Beijing, foreign ministry spokesman Zhao Lijian said the “Chinese government always requires Chinese companies, in their overseas operations, to strictly follow international regulations.” But, he said, the Chinese government firmly opposes “some foreign media’s malicious discussions about the data centre.”
In Papua New Guinea, security vulnerabilities have become less of a concern than disrepair. The data centre has a slow internet connection, and some of its components – including backup batteries and an e-mail server – are broken. Software licences have expired, and the report says local authorities do not have enough funds to properly maintain the centre.
As a result, it “is not currently used by a significant portion of the government of PNG,” the report found. “It is assessed that a full rebuild would need to occur to modernize the facility.”
Our Morning Update and Evening Update newsletters are written by Globe editors, giving you a concise summary of the day’s most important headlines. Sign up today.