Chinese telecommunications giant Huawei built a data centre in Papua New Guinea, which exposed secret government files to being stolen, according to a report that catalogues Beijing's efforts to spy on the Pacific nation.
The report, provided to the Australian government, noted outdated encryption software was deployed by Huawei, while firewall settings were insufficient for a centre designed to store the entire data archive of the PNG government.
"It is assessed with high confidence that data flows could be easily intercepted," said the 2019 report on PNG's National Data Centre.
"Remote access would not be detected by security settings."
The US and its allies, including Australia, have become increasingly wary of China seeking to extend its influence among developing nations in the Pacific by extending cheap loans for major projects.
The report on Huawei is the first to document its complicity in Beijing's cyber espionage activities, after more than a decade of rumours and pointed remarks from security agencies.
The Port Moresby data centre was funded through a $US53 million development loan from China's Exim Bank and became operational in 2018, before PNG hosted that year's APEC leaders meeting.
Litany of flaws
The report noted the layout of the data centre did not match the intended design, opening up major security gaps.
"Core switches are not behind firewalls. This means remote access would not be detected by security settings within the appliances," it said.
In a statement, Huawei said: “This project complies with appropriate industry standards and the requirements of the customer.”
The report was commissioned by the National Cyber Security Centre of PNG, which is funded by the Australian Department of Foreign Affairs and Trade.
It was written by a cyber security contractor hired by DFAT and the report was then handed to the Australian government.
DFAT declined to comment.
In cataloguing major security flaws, the report, which ran to 65 pages in its original form, said the algorithm used for encrypting communications was considered "openly broken" by cyber security experts two years before being installed in Port Moresby.
The Huawei firewalls in the data centre reached their "end of life" in 2016, two years before the facility was opened.
While the report suggests a deliberate effort by Huawei to deploy lax cyber security, it noted this plan was partially thwarted by the centre quickly falling into disrepair, as insufficient money was set aside for maintenance and operations.