Australia slams Huawei for ‘security vulnerabilites’ in PNG

Australia slams Huawei for ‘security vulnerabilities’ in PNG data centre

12 August 2020 | Alan Burkitt-Gray

Cover

A report to the Australian government is claiming that a Huawei-built data centre in Papua New Guinea (PNG) had serious security vulnerabilities.

 The project was part of a US$147 million digital support package from China to PNG which is also funding a national broadband network.

Two years ago Australia also asked PNG to drop Huawei as a supplier of the 5,457km cable, which has a capacity of 8Tbps. But the PNG government said no.

The data centre, in Port Moresby, capital of PNG, has outdated encryption software and inadequate firewall settings, says the Australian Strategic Policy Institute (ASPI), which sent the report to the Australian government earlier this year, according to business newspaper Australian Financial Review (AFR).

The data centre, was funded by a $53 million loan from China’s Exim Bank, says the AFR – part of the $147 million package.  

Huawei told the AFR that the data centre project “conforms to appropriate industry standards and customer requirements”.

Capacity has asked Huawei for a separate comment on the issue.

PNG, with only 8.6 million people, lies in a strategic position between Australia to the south and Indonesia to the west. For years it has been a point of rivalry for influence between China and Australia, which, backed by the US, has taken a hostile position to Huawei and other Chinese companies.

The ASPI study was commissioned by Papua New Guinea’s National Cyber Security Centre, which is funded by the Australian government. An unnamed cybersecurity contractor hired by Australia produced the report.

The AFR says that the firewalls had already reached their end of life in 2016 – two years before the centre became operational. The paper quotes the security report as saying: “The main switches are not behind the firewalls. This means that remote access would not be detected by the security settings within the appliances.”

According to the report, the PNG government ran out of money for the data centre, so that it was not fully used – and software licences expired and batteries were not replaced.

The PNG government asked Australia for funds to get the data centre operational again – which is why the ASPI was hired to study the project and report back.

According to the AFR newspaper, the ASPI report suggests that the data centre exposed PNG government files to being stolen, hinting this was part of China’s efforts to spy on the country.

The ASPI has been strident in its opposition to Huawei in Australian networks. Its website contains reports from 2018 and 2019 welcoming Australia’s decision to ban Huawei from any role in its 5G networks.

The ASPI said two years ago: “Australia’s 5G network is critical national infrastructure and this was one of the most important policy decisions the government had to make this year. ASPI felt it was vital to stimulate and lead a frank and robust public discussion, in Australia and throughout the wider region, which analysed and debated the national security, cybersecurity and international implications of Huawei’s involvement in this infrastructure.”

Four years ago PNG signed a contract with Huawei to build a 5,457km cable, with a capacity of 8Tbps, that would link 14 major coastal centres as well as islands and would be operated by PNG DataCo.

In 2018 Australia put PNG under pressure to cancel the deal, but William Duma, the country’s minister for public enterprise and investment, said that it “has an existing agreement” and said the decision was “about honour and integrity”.