Chinese telecommunications giant Huawei built a data centre in Papua New Guinea, which exposed secret government files to being stolen, according to a report that catalogues Beijing's efforts to spy on the Pacific nation.
The report, provided to the Australian government, noted outdated encryption software was deployed by Huawei, while firewall settings were insufficient for a centre designed to store the entire data archive of the PNG government.
"It is assessed with high confidence that data flows could be easily intercepted," said the 2019 report on PNG's National Data Centre.
"Remote access would not be detected by security settings."
The US and its allies, including Australia, have become increasingly wary of China seeking to extend its influence among developing nations in the Pacific by extending cheap loans for major projects.
The report on Huawei is the first to document its complicity in Beijing's cyber espionage activities, after more than a decade of rumours and pointed remarks from security agencies.
The Port Moresby data centre was funded through a $US53 million development loan from China's Exim Bank and became operational in 2018, before PNG hosted that year's APEC leaders meeting.
Litany of flaws
The report noted the layout of the data centre did not match the intended design, opening up major security gaps.
"Core switches are not behind firewalls. This means remote access would not be detected by security settings within the appliances," it said.
- Can Taiwan Save the Indo-Pacific from China?
- China labels New Zealand's extradition treaty suspension as 'gross interference'
- Australia has ‘finally had enough’ with China’s South China Sea posturing
- China on the move...
In a statement, Huawei said: “This project complies with appropriate industry standards and the requirements of the customer.”
The report was commissioned by the National Cyber Security Centre of PNG, which is funded by the Australian Department of Foreign Affairs and Trade.
It was written by a cyber security contractor hired by DFAT and the report was then handed to the Australian government.
DFAT declined to comment.
In cataloguing major security flaws, the report, which ran to 65 pages in its original form, said the algorithm used for encrypting communications was considered "openly broken" by cyber security experts two years before being installed in Port Moresby.
The Huawei firewalls in the data centre reached their "end of life" in 2016, two years before the facility was opened.
While the report suggests a deliberate effort by Huawei to deploy lax cyber security, it noted this plan was partially thwarted by the centre quickly falling into disrepair, as insufficient money was set aside for maintenance and operations.
This resulted in many PNG government departments not moving their data into the centre as planned.
The lack of an operating budget meant basic functions such as software licences had expired, while batteries had degraded and were not replaced.
- 'Absolutely no mercy': China's brutal detention regime revealed in leaked documents
- Belligerence China
- Can Taiwan Save the Indo-Pacific from China?
- Fight to protect Fiji reef from Chinese developer
To get the data centre up and running again, Port Moresby sought financial assistance from the Australian government, a request that resulted in the report being commissioned.
Canberra has so far declined to provide funding to upgrade the centre and the report noted that a "full rebuild" would be required to modernise the facility.
This has left PNG with a $US53 million debt to the Chinese government, via Exim Bank, and a data centre that is barely operational.
Lack of funding
China's support for a data centre in PNG, using Huawei technology, was first mooted in 2009 during a visit to Beijing by former prime minister Sir Michael Somare.
The following year, Exim Bank, which is charged with implementing Beijing's trade and strategic objectives, agreed to provide the loan.
But it would take until 2014 for then prime minister Peter O'Neill to launch the project at a ceremony in Port Moresby, where he thanked China and praised Huawei.
"Let me take this opportunity to thank the government of China in making available the concessional facility of $US53 million through the Exim Bank," he said.
The data centre was part of a so-called Integrated Government Information System (IGIS), which planned to link 57 sites in Port Moresby and five regional centres.
As part of the project, the chief secretary of each PNG government department was instructed to move all data into the new centre.
A lack of funding meant only a handful of government agencies moved data into the facility and by early this year PNG was calling the project a failure.
A report completed this year by think tank The Australian Strategic Policy Institute found China had provided $US147 million for digital projects in PNG including the national data centre, the national broadband network and a biometric identity card.
Australia remained the largest donor in the 12 years to 2019 with $262 million provided for digital projects in PNG.