View profile

Digicel / Telstra - A security win?

The Village Explainer
Digicel / Telstra - A security win?
By Dan McGarry • Issue #52 • View online
The Village Explainer is a semi-regular newsletter containing analysis and insight focusing on under-reported aspects of Pacific societies, politics and economics.
This is the second part of our look at the proposed Digicel / Telstra deal. In this issue, we ask: Would this be this a security win for Australia?
(Spoiler: No. Not in any real sense. Not for Australia, and not for the Pacific.)

It’s hard for me as a former software developer to express just how deep my bemusement runs at the news that Digicel and Telstra are in talks concerning the potential sale of the Denis O'Brien’s embattled Pacific step-child. The sale, if it happens, will be backed by substantial financing by the government of Australia—up to US $1.5 billion, according to some reports.
The motivation for this, apparently, is to forestall a Chinese-backed takeover that would leave Pacific islanders wide open to mass surveillance.
That one simple sentence contains so many invalid assumptions, it’s hard to know where to start.
Let’s take it step by step.
1) Would the sale of the carrier to a Chinese company create new opportunities to spy on Pacific islanders, and presumably Australians?
Well, yes and no. As telecoms researcher Dr Amanda Watson pointed out to me in a conversation earlier this week, Chinese hardware is already deeply embedded in Pacific infrastructure.
PNG’s State Enterprises Minister Sasindran Muthuvel is on the record saying that not only is Huawei a part of the country’s national infrastructure, it’s their preferred vendor.
All three of PNG’s national telcos, he said, are using Huawei equipment. In fact, Bernard Yegiora has argued that Huawei’s central presence in PNG telecoms makes them an important driver of digital development.
The prevalence of Chinese equipment extends across the Pacific islands, though some countries have taken nominal steps to limit their exposure on this front.
Vanuatu’s national e-Gov network, which joins government facilities across the capital and throughout the country, was built by Huawei. But much of the switching and transmission equipment was subsequently swapped out for other vendors. The decision was described as a scheduled upgrade, but I’d bet good money that security was a dimension in the product choice, as it should be in all network-related decisions.
But the presence of Chinese-manufactured equipment isn’t the only way the CCP could conduct a mass surveillance operation.
Dr Watson highlighted this report of a series of attacks known as Advanced Persistent Threats (or APTs). An APT is a targeted attack against a particular subject, in which the attacker takes pains to hide their presence, in order to continue spying for as long as possible.
These attacks targeted telecoms companies in order to steal subscriber and account information. This kind of data can be used to track a person’s movements over time. They show which mobile tower a person is connecting to. With persistent data connections on phone apps, individuals can be tracked minute by minute this way.
If you want a detailed account of how this kind of thing works, I strongly recommend the ground-breaking data-driven investigative group Bellingcat. They used mobile phone records to identify and track the hit team that followed Russian opposition figure Alexander Navalny to Siberia, and then poisoned him in an alleged assassination attempt.
Incidentally, Bellingcat doesn’t own any Russian phone companies. That doesn’t appear to have slowed them down much.
So here’s what we’ve learned so far:
  • Chinese companies already have a lot of equipment deployed inside Digicel and other Pacific telecoms companies.
  • Even if it didn’t, a sophisticated technological power such as the CCP doesn’t need to own the telcos to steal their crown jewels.
2) Does ensuring Australian ownership of Digicel Pacific advance Australian/Five Eyes surveillance capacity?
Again, yes and no.
The Australian Signals Directorate is a sophisticated and technologically advanced organisation. It may lack the massive budget and deep tie-ins to manufacturers that China possesses, but it has world-class talent, and it’s a key partner in the Five Eyes alliance.
Australia looks after its own interests as well as those of its partners. As the Bernard Collaery / Witness K case has shown us, it’s also used those capabilities against its friends.
The Five Eyes are known to have been active in the Pacific in the past, and it would defy reason to suppose that they aren’t still.
Back in 2015, as a by-product of the Snowden revelations, it was revealed that a not-so-secret facility in New Zealand targeted Pacific islands internet traffic in ‘full-take’ operations. These are activities in which all traffic between two points is hoovered up. Because all of the Pacific island countries’ traffic passed over satellite at the time, it was a costly but straightforward proposition.
Ownership of the satellites wasn’t required.
At the time, then-Samoan Prime Minister Tuilaepa Sa'ilele Malielegaoi opined that this kind of spying is just fine, and possibly channeling Clauswitz, he suggested that mass surveillance was just an extension of diplomacy.
His fatalistic attitude toward surveillance by friend and foe alike is as understandable as it is lamentable. For those who deal with sensitive information, it’s often necessary to assume—and act as if—someone is watching you all the time.
Shortly after the revelations concerning the bugging of the Timorese conference room in which their territorial negotiations with Australia were discussed, the Vanuatu delegation to a high-level meeting in Port Vila with the Australian foreign minister rocked up en masse, pulled out notepads and pens as one, and plunked them down on the table. Not a phone or a laptop was present. It was a symbolic gesture, but a pointed one.
In short:
  • Spies gonna spy, and no $1.5 billion in Australian dosh is going to change that, though it might marginally increase the time and effort required to do it.
3) Does the issue of who will / should own Digicel affect individuals and groups in the Pacific who have something to hide?
Not really.
Let’s be clear: Criminals aren’t the only ones who have something to hide. We all have information we want to protect, even if it’s just photos of the kids. Some of those secrets could be extremely damaging to us if they got out.
As a working reporter, I’m often stuck talking with people using less than ideal means. But perfect confidence is hard to achieve. About the best we can muster is seemingly random in-person encounters with people in noisy, open areas.
But that’s a lot harder to do these days.
Let me run down the calculus: In descending order: I trust two-party communications over Signal or through my encrypted, zero-knowledge email account, I kinda trust chatting via WhatsApp. Much less so my Twitter DMs and communications over Messenger.
But I don’t entirely trust the phone I use (not the telco, the phone itself). I don’t trust my own PC, in spite of the fact that I browse safely and keep the machine up to date.
I actively distrust my Huawei fibre-optic router—enough to have installed an encrypted VPN tunnel on this side of it.
Does the question of who owns Digicel keep me up at night? Not really. Well, not any more now than it did before. The broader questions about state surveillance powers do, though. The reality of living in a surveillance society hits journalists first, and hardest. And it’s hard to come to terms with just how circumscribed we now are.
But let’s be clear: If any of the major spying powers want to know what you’re up to, they’ll find out. It’s not like an analyst somewhere in China is going to shake their fist and say, “Hey, wait—that telco is owned by Telstra! Curses! Foiled again!”
That means:
  • You can—and should—take steps to secure your sensitive personal communications. But that’s true no matter who owns Digicel Pacific.
4) So knowing what we know, is Digicel worth $1.5 billion to the people of Australia? To the people of the Pacific?
No. Not remotely. Not as a security measure, anyway.
Australians will not be one jot more secure if Telstra buys Digicel Pacific. Even with the most state of the art counter-measures in place, commercial software and firmware is so rife with vulnerabilities that massive data grabs and targeted hacks will be laughably easy for may years yet to come.
I should add that Telstra is not the first telco I think of when I think about network security.
And the question for Pacific islanders, sadly, is who gets pride of place when—not if—we get spied on.
But the thing that is sure to stick in people’s craw is this:
The government of Australia has shown it’s willing to splash out a cool billion and a half at the drop of a hat on a silky-thin illusion of security, but unwilling even to talk meaningfully about the single greatest security threat facing the world today: Climate change.
Did you enjoy this issue?
Dan McGarry

The Village Explainer is a semi-regular newsletter containing analysis and insight focusing on under-reported aspects of Pacific societies, politics and economics.

If you don't want these updates anymore, please unsubscribe here.
If you were forwarded this newsletter and you like it, you can subscribe here.
Powered by Revue
Dan McGarry - Port Vila, Vanuatu