Editors’ picks for 2018: ‘The African Union headquarters hack and Australia’s 5G network’
27 Dec 2018|

Originally published 13 July 2018.

Last week, Greg Austin wrote in The Strategist that ‘those in Australia advocating for a ban on Huawei in the 5G network—mimicking the opinion of US intelligence chiefs expressed in February 2018—have not reviewed all of the available information and perspectives’. While I don’t agree with the article’s broader argument, Austin was spot-on in one area—we haven’t reviewed all of the available information.

In Addis Ababa, the gleaming 20-storey headquarters of the African Union (AU) rises above the dusty skyline as a testament to the China–Ethiopia and broader China–Africa relationship. The Chinese government, which announced the project in 2006, built and financed the entire US$200 million complex, from the attached 2,500-seat grand conference hall to the office furniture. According to the World Bank, around 12,000 to 15,000 officials and representatives from various entities visit the AU Commission for summits, meetings and other events each year.

In January 2012, the completed building was handed over at a public ceremony. At the opening, Jia Qinglin, then-chairman of the National Committee of the Chinese People’s Political Consultative Conference, delivered a speech in which he said:

The international community should provide support and help to the resolution of African issues. China believes that such help should be based on respect for the will of the African people and should be constructive. It should reinforce, rather than undercut, Africa’s independent efforts to solve problems. Interference in Africa’s internal affairs by outside forces out of selfish motives can only complicate the efforts to resolve issues in Africa.

The AU’s grand and sprawling complex was the focus of intrigue and controversy earlier this year—controversy that sheds light on reported ‘national security concerns’ in Australia about which companies should be involved in our 5G network and other critical infrastructure projects.

In January 2018, France’s Le Monde newspaper published an investigation, based on multiple sources, which found that from January 2012 to January 2017 servers based inside the AU’s headquarters in Addis Ababa were transferring data between 12 midnight and 2  am—every single night—to unknown servers more than 8,000 kilometres away hosted in Shanghai. Following the discovery of what media referred to as ‘data theft’, it was also reported that microphones hidden in desks and walls were detected and removed during a sweep for bugs.

The Chinese government refuted Le Monde’s reporting. Chinese state media outlet CGTN (formerly CCTV) reported that China’s foreign ministry spokesperson called the Le Monde investigation ‘utterly groundless and ridiculous’. China’s ambassador to the AU said it was ‘ridiculous and preposterous’. The BBC also quoted the ambassador as saying that the investigation ‘is not good for the image of the newspaper itself’.

Other media outlets, including the Financial Times, confirmed the data theft in reports published after the Le Monde investigation. It’s also been reported on by think tanks and private consultancies from around the world.

One AU official told the Financial Times that there were ‘many issues with the building that are still being resolved with the Chinese. It’s not just cybersecurity’.

The Le Monde report also said that since the discovery of the data theft, ‘the AU has acquired its own servers and declined China’s offer to configure them’. Other media reports confirmed that servers and equipment were replaced and that following the incident ‘other enhanced security features have also been installed’.

Since the reported theft, the AU Commission has put out a variety of tenders and awarded contracts in relation to the headquarters’ information and communications technology (ICT) infrastructure, including bidding documents for a new WiFi system and a US$85,406 contract for the ‘supply, delivery and installation of firewalls for the AU Commission’.

This week an additional tender was published in relation to the AU’s data centre—the same centre that is referenced in Le Monde’s report. The tender invited organisations to bid for the ‘supply, installation, configuration, testing and implementation of next generation firewall data center for the African Union Commission’ and the bidding document explained that:

African Union’s Data Center is a very critical asset for the African Union. The data stored and systems hosted in this data center need to be protected from any form of internal or external threats and unauthorized access.

What seems to have been entirely missed in the media coverage at the time was the name of the company that served as the key ICT provider inside the AU’s headquarters.

It was Huawei.

The AU Commission signed a contract with Huawei on 4 January 2012. By the time the building hosted its first AU Summit on 29 January 2012, Huawei’s ICT solution—which included computing, storage sharing, WiFi and unified resource allocation services through cloud data centres—was in play. As explained on Huawei’s website:

As a top organization coordinating pan-African political, economic, and military issues, the African Union Commission (AUC) needed a robust information system to support a large number of conferences and the larger amounts of data that they entail. As most of this information is of a confidential nature, legacy PCs were proving too vulnerable to hackers, phishing, viruses, and other forms of compromise.

Huawei provided a range of services to the AU. It provided cloud computing to the AU headquarters and signed a memorandum of understanding with the AU on ICT infrastructure development and cooperation. It also trained batches and batches of the AU Commission’s technical ICT experts.

The main service that Huawei provided to the AU was a ‘desktop cloud solution’. Huawei described the service provision as follows:

The AU needed a robust solution to streamline their conference operations and protect their data from a variety of security threats. They chose Huawei’s FusionCloud Desktop Solution, which offers computing, storage sharing, and resource allocation through cloud data centers.

According to Huawei’s website, part of this solution included providing equipment and resources to the AU’s data centre:

The [Huawei] solution deployed all computing and storage resources in the AU’s central data center where it seamlessly connects to the original IT system. Then, Huawei installed Wi-Fi hotspots and provided the industry’s first Thin Clients (TC) customized with Wi-Fi access …Traditional PC-based architecture exposes data to serious security risks. With Operating Systems (OS) and applications installed on individual machines, data is vulnerable to viruses and plain text transmissions are easier to steal. The FusionCloud solution moves the OS and applications to centralized servers in the AU’s data center to minimize information leakage while TC security measures such as authentication and encryption further secure data.

Huawei’s desktop cloud solution was central to the AU’s cybersecurity and data-protection efforts. Huawei listed ‘better security’ as one of its key benefits. Huawei described the provision of this better security as follows:

Centralized storage in the data center protects data from attack and prevents data leakage from PCs. The system further protects with terminal authentication and encrypted transmission.

But despite the installation and use of Huawei’s ICT services, reputable media outlets reported that the AU’s confidential data wasn’t protected.

There are several possible explanations for why the AU’s confidential data wasn’t protected and safeguarded appropriately from security threats. Let’s say that Huawei was in no way complicit in the alleged data theft. With this option placed to the side, what else is left on the table? There’s the possibility of a (very lengthy) insider threat, for example. There’s also cybersecurity incompetence. Or perhaps the company never discovered the alleged five-year data theft?

Could the reported theft of data have occurred from a set of servers that were outside of Huawei’s purview? While that’s possible, we do know that Huawei ‘deployed all computing and storage resources in the AU’s central data center. Le Monde described the data transfer as occurring from the AU’s servers—servers which were then replaced.

There was also another company that had some involvement in the AU headquarters’ ICT infrastructure: Chinese telecommunications company ZTE. A current bidding document states: ‘New Conference Center (China Building) uses ZTE and HUAWEI technologies.’ There’s little information, in open-source documents at least, about the services ZTE may currently or have previously provided. Nor is there information that suggests it had an overarching role in the provision of ICT services inside the headquarters. Job advertisements for telecommunications engineers inside the AU Commission do cite managing a ‘ZTE integrated business exchange device (IBX)’ as one of the role’s major responsibilities.

So let’s cycle back to the debate on whether Huawei should be allowed to participate in Australia’s 5G network. Let’s say you’re not bothered by the fact that Huawei regularly funds the overseas travel of our politicians (which is within the law). You’re also not convinced by the arguments that Huawei is too great of a technical and cybersecurity risk to our 5G network.

You’ve also decided to dismiss—although I don’t know how—China’s 2017 National Intelligence Law (and other legislation, such as the counterespionage law), which states that ‘all organizations and citizens shall, in accordance with the law, support, cooperate with, and collaborate in national intelligence work, and guard the secrecy of national intelligence work they are aware of’.

Now we have a startling piece of new information to add into the mix. Despite a very public commitment to cybersecurity and the provision of secure data protection, and despite promotional material that boasts of Huawei’s robust and enhanced information security services to the AU—it turns out the AU’s confidential data wasn’t secure at all.

This doesn’t mean the company was complicit in any theft of data from the AU headquarters. But it does mean it must answer some tough questions in relation to this incident. Why? Because it’s hard to see how—given Huawei’s role in providing equipment and key ICT services to the AU building and specifically to the AU’s data centre—the company could have remained completely unaware of the apparent theft of large amounts of data, every day, for five years.

But if in fact Huawei never discovered what appears to be one of the longest-running thefts of confidential government data that we know about, and if it remained completely unaware of this alleged theft for approximately 1,825 days in a row—what are we left with?

A national security concern.