Huawei built a data center for Papua New Guinea (PNG) where security systems did not match its planned design, with glaring errors that opened the facility up to spying.
The claim was made in a 65-page report funded by the Australian government's Department of Foreign Affairs and Trade, on behalf of Papua New Guinea's National Cyber Security Centre.
The facility, funded with a $53m loan by the Chinese government, was meant to host all of the PNG government's departments, but only a handful have moved due to insufficient funding.
Now why would they do that?
The report, seen by the Australian Financial Review, "assessed with high confidence that data flows could be easily intercepted."
Encryption software was outdated, the algorithm used for encrypting communications has been previously called "openly broken," and firewalls had reached their "end of life" two years before the facility opened in 2018. The firewalls also did not cover core switches, with the report noting: "This means remote access would not be detected by security settings within the appliances."
The report suggests but does not conclusively state that Huawei's poor cybersecurity systems were intentional. But it adds that if there was a plan to spy on PNG government operations, it mostly failed due to the data center falling into disrepair as there was insufficient funding for maintenance and operations.
While all government departments had planned to shift to the data center, most did not. Software licenses expired, and the UPS batteries degraded and were not replaced.
In an effort to fix the facility, the PNG government turned to Australia for help, asking for financial assistance. Instead, the Australian government commissioned this report. It has not provided funds to fix the facility, with the report claiming that a "full rebuild" would be required.
“This project complies with appropriate industry standards and the requirements of the customer," Huawei said.
The company also built a submarine cable network connecting Papua New Guinea's disparate islands to each other and Indonesia.
Australia, the United States, and Japan all tried to stop the project, but were unsuccessful. Australia did manage to lock Huawei out of a cable connecting PNG and the Solomon Islands with Australia, by putting up $200m in foreign aid. Huawei has since sold its submarine cable division to another Chinese firm.
Huawei has gained billions of dollars of business through China's policy of providing low interest loans to developing nations, on condition that the money is spent with Chinese companies. These concessional loans have funded data centers in countries like Kenya, Pakistan, and Cameroon. With such projects, the company has always maintained that it had no access to user data.
In November 2018 it was revealed that the network and data center at the African Union’s Ethiopia headquarters saw data exfiltrated from its network every night for a period of five years.
The headquarters were funded by the Chinese government, and built by a state-owned company as a 'gift.' The network was operated by Ethio Telecom, and built by Huawei.
Huawei denied the claim and at the time, Australian Strategic Policy Institute cyber expert Dannielle Cave told The Weekend Australian: “There’s no proof that Huawei was asked to participate or turn a blind eye to the breach, but we know that there was a breach and Huawei was the key provider.’
Huawei has faced mounting pressure to its core business as US sanctions have caused havoc to its supply chains. The US has also pressured its allies to ban Huawei from their networks over national security concerns, recently convincing the UK to begin removing the company from its 5G plans. Australia, Canada, and France also have bans of their own.
"Without any solid evidence, the US has launched a global campaign against a private Chinese company," China's foreign minister Wang Yi said earlier this month.
"This is a textbook example of bullying. Everyone can see easily and clearly that the US goal is to keep its monopoly in science and technology but deny other countries the legitimate right to development. It doesn't even bother to disguise its bullying. This not only violates the international rules of fair trade, but also hurts the free global market environment."