Sunday, November 10, 2019

Experts warn of spying risk in AFP deal with China-backed telco (Pt. 2)

From Rappler (Nov 11, 2019): Experts warn of spying risk in AFP deal with China-backed telco

The military's co-location deals with Smart Communications, Globe Telecom, and Dito Telecommunity are prone to spying, experts say, but Dito's link to the Chinese government means the third telco poses a greater threat

CONCLUSION

READ: Part 1 | Experts warn of spying risk in AFP deal with China-backed telco


MANILA, Philippines – The most significant feature of Dito Telecommunity's co-location contract with the military that sets it apart from the otherwise similar contracts of Globe Telecom and Smart Communications is a provision that is a tacit admission that the arrangement could indeed lead to spying. This was the assessment of experts whom Rappler consulted.

Article 7 of Dito’s and Smart’s contracts, and Article 6 of Globe’s, pertain to “Security.”

Here, Globe and Smart have only two provisions, which Dito also has:

Section 1 – “Access to the sites/facilities of either party shall be restricted and controlled by the Host in the interest of security. Consequently, only authorized persons as determined by the Parties shall be allowed access to said sites/facilities.”

Section 2 – “The Host shall allow access to the Co-locator to place the Co-locator’s site attendants at the co-location sites. The assignment of site attendant must be subject to approval of the Host.”

The wording of Section 2 in Globe’s contract is slightly different but does not essentially change the provision’s meaning.

How about the contract with Dito? This one adds a third provision.

Section 3 – “Mislatel guaranties (sic) that the devices, equipment and/or structures installed at the site provided by the AFP shall not be used by the Co-locator and/or any other entity to obtain classified information from the AFP.”

Is the third provision in Dito’s contract a tacit recognition by the AFP of the possibility that the telco might exploit the arrangement for espionage, to China’s advantage?

“Yes, of course,” said the retired high-ranking military source Rappler consulted for this story, who spoke on condition of anonymity.

Shouldn't this address the security concerns? The source stressed that "a guarantee is not an assurance."

He added: "You’ll have to look at the big picture – China’s unrestricted warfare strategy and gray zone tactics,” the retired officer warned, citing as an example Russia’s 2014 annexation of Crimea in Ukraine by “paralyzing its telecommunications and power.”

Rappler's telco source, an information security expert with 30 years of experience in the industry, believes the addition of Section 3 to the Dito MOA implies the need to keep a closer watch on the new telco.

"The presence of that third one tries to really put a clear statement, written or unwritten, that there’s additional safeguards that need to be done with this third contract. Whether that’s because of the personalities involved or the corporate structure of the company, maybe that’s the reason they put these additional safeguards on security,” he said.

For defense analyst Jose Antonio Custodio, a tacit admission of the risk of espionage is already contained in the first two sections.

"All, from Globe to Smart, all recognize that, because Section 1 and Section 2, which are common to all 3 contracts, presuppose that the equipment can be used for espionage. There’s no question. All can be used for espionage,” Custodio said.

"This shows that you already suspect the other side of doing something bad. This Section 3, it’s like a political statement that really carries no weight because basically, Sections 1 and 2 should already cover Section 3….It’s just to head off public sentiment,” he added.



SECURITY CLAUSE. The memorandum of agreement between the Armed Forces of the Philippines and Dito Telecommunity adds a 3rd provision to the security article that otherwise resembles Globe's and Smart's. This 3rd provision tackles classified information. Photo obtained by Rappler

The context of China
Soon after the MOA was signed and sparked controversy last September, Dito released a statement to fend off concerns about cybersecurity risks.

"We want to assure the public that Dito has a cybersecurity plan, as approved by the National Telecommunications Commission (NTC), and that the company will always protect the national and cybersecurity interests of the Philippines,” Dito Telecommunity chief administrative officer Adel Tamano said in a statement on Tuesday, September 17.

Tamano was Dito’s signatory on the contract with the military.

Custodio gives the telco’s Filipino owners the benefit of the doubt. What’s suspect, he said, is China Telecom.

“The Philippine side, let’s say, in principle, can be guaranteeing. For the benefit of the doubt, Dennis Uy’s side can say, ‘We are really not going to do anything.’ But can he control the 40% Chinese element, the Chinese presence there? That is your problem,” Custodio said.

What's the common concern of the security experts? China has a long history of, and modern capacity for, spying.

In fact, Australia, Canada, Japan, New Zealand, Taiwan, the UK, and the US have either banned or restricted the use of the Chinese company Huawei’s technology in their 5th generation or 5G networks to guard against Chinese spying.

Custodio, the telco source, and the military source all pointed this out.

Although Globe and Smart have been using Chinese-made technology to certain degrees, Custodio said Dito takes it a notch higher by having a Chinese company actually be responsible for its entire infrastructure as a part-owner.

“There will be attempts now by China to exploit that, okay? So Section 3 will not be a protection from that, okay? Because you gave a window of opportunity to the Chinese,” Custodio warned.

“Perfunctory. That’s how I’d characterize the contract,” the military source told Rappler after studying the Dito MOA.

“You won’t find anything in the contract,” he added. It provides no real safeguard against information security breaches.

'Local intercept'

For the telco information security source, however, the problem goes beyond having a Chinese-backed telco’s cell sites inside or near Philippine military camps.

Wireless telecommunication technology means spying can happen between any two gadgets that are online – whether they’re a meter, a kilometer, or a continent apart.

“If you remember, during analog days, there was wiretapping. Even currently, in the GSM (Global System for Mobile Communications) state, with all this encryption, that’s also possible already, no? And that’s not a hidden fact,” the telco source said.

Nowadays, one doesn’t need a physical wire to tap into a communication exchange, as any hacker would attest to. Encryption can protect private information the way a wall encloses a space. However, no wall is too high for the determined climber – or hacker.

Ultimately, no system is immune to breaches. It’s only a matter of how long it takes to crack its encryption code.

Besides, any smartphone, laptop, or tablet is embedded with a feature through which the provider of the connection could access its information, the telco source said. Theoretically, it can be done by anyone who has the “key” to activate this feature.

“[This is] the so-called local intercept. That’s a feature on GSM, and you can be able to tap or capture [information]. But of course, those tapping equipment or wireless equipment that can do local intercept, that’s not being used here in this country if not needed,” the telco source said.

“Remember, all of our telecom equipment, even if that’s Huawei, ZTE, or the like, have that feature already embedded into it. You can do local intercept, but it’s a deactivated feature.”

“In other countries, because of the threat of terrorism, it’s activated. But in the Philippines, it’s not yet allowed to be activated,” he added.

Who holds the key to activate it? “The telco. But the government has the right to issue an order to activate it so that government agencies will be able to get in and get those information out,” the telco source said.

In terms of accessing military information, it does not really matter whether or not a tower is inside the camp itself.

“You can do local intercept wirelessly even if you’re one kilometer or 10 kilometers away, as long as I am able to put up an antenna and do a wireless scan all over the area. And as you very well know, a lot of these antennae can reach ranges from 1, 2, 5, 10 kilometers and so on. It can do a big wireless radius scan,” said the telco source.



DEAL SIGNED. Former AFP chief of staff General Benjamin Madrigal Jr (2nd-R), 3rd-Telco Mislatel president and CEO Dennis Uy (2nd-L), Major General Adrian Sanchez (right), and Atty Adel Tamayo (left) during the ceremonial signing of the MOA between the AFP and Mislatel at Camp Aguinaldo on Sept 11, 2019. Photo by Darren Langit/Rappler

So why bother checking this agreement? What does it matter whether or not co-location deals with telcos give another country such as China access to military bases and camps?

The concern is “not espionage per se but China networking within the Philippine military,” Custodio said.

“That’s the other aspect here that is very important that people forget. It’s not just the espionage capability. It’s the fact that the Chinese are networking in the Philippine military as there are officers who are willing to provide that necessary opportunity for the Chinese to expand their influence within,” he added.

China Telecom personnel, working for Dito, will have direct access to the AFP’s facilities where they will put up their cell sites. They will have close dealings with AFP personnel, perhaps even access to their personal communications. The exchange deal will have them working on the AFP’s own communication systems, and training its communication personnel.

“They will always try to look for an opportunity to slip something in,” Custodio said, referring to China Telecom.

“So the Chinese, once they are able to do that through a combination of networking and eavesdropping, they will find more ways to co-opt the Philippine military and the military will then lose sight of its mandate to protect the territorial integrity of the country. Instead, it will sing hosannas to Beijing,” Custodio said.

What are the other security implications? China would not only want to tap into the Philippine military’s communications. The AFP has broad dealings with the US military because of their treaty alliance.

As China and the US run a global political and economic race, the US military may become wary of dealing with the AFP, knowing China’s ears could be listening in.

That would be a problem for the Philippines, which still largely depends on its treaty alliance with the US as a deterrent against foreign aggression.

“So for example, you have a tower that is within or near an AFP compound, then you can put sensors there that can now try to decipher or crack whatever encrypted communication the Philippine military has with its traditional allies.“ Custodio said.

'Nothing wrong'

When Defense Secretary Delfin Lorenzana, on September 30, was asked by the Senate appropriations panel why he would allow the military to enter into such a deal, he threw the question back at the lawmakers: Why did you grant Dito a franchise in the first place?

Lorenzana said it put the AFP in a bind. How could it refuse the third telco an arrangement it already had with the first two? Besides, the first two telcos also have foreign equity: Globe has Singapore’s Singtel, and Smart has Japan’s NTT.

Senate Minority Leader Franklin Drilon then pointed out that neither country has a sovereignty dispute with the Philippines – unlike China, with its spurious claim over much of the West Philippine Sea.

And among those countries, only China has a law that mandates companies it owns to provide intelligence to its government.

The senators asked Lorenzana to hold off signing his final approval of the contract until they are able to scrutinize it for its security implications.

On October 17, Lorenzana said he found "nothing wrong" with the agreement, and he was inclined to sign it. He was just waiting for the Senate to give its opinion.

The AFP chief of staff at the time the deal was signed, General Benjamin Madrigal, downplayed the threat, telling reporters in a briefing on September 17, "Remember, you are dealing with a Chinese company, not the Chinese government,” referring to China Telecom.

The reporters in the room had to tell him there was hardly any difference.

More expensive fish

What all this reveals, Custodio said, is that China’s influence over the Philippine military is “steadily growing.”

“The overall interest of the Chinese is to break the influence that we have with our traditional allies. So they will now cultivate people within the AFP who can be used to obstruct alliance activities and to bring the AFP institutionally closer to China,” he said.

Ultimately, this could make the military even less willing to confront China on the frontline of its conflict of interest with the Philippines: the West Philippine Sea.

“How does this affect the ordinary Filipino? Well next time around, he’s going to have more expensive fish. Why? Because the Chinese have managed to co-opt the Philippine military, so the Philippine military will not anymore push back against the Chinese who are now going to ravage our seas,” Custodio said.

For our telco practitioner source, however, the problem goes far beyond Chinese presence in military camps.

“National cybersecurity is the bigger problem. Everybody needs a cybersecurity system. Everybody. Including our government. Eh ngayon, open gate ka eh (Right now, were an open gate),” he said.

The government must create an agency to secure and oversee the country’s cybersecurity – a “cybersecurity center” – that would constantly watch for attacks, the telco source said. The thing about cyber attacks, he added, is that “if the attacker can see you, you can see them,” so it’s just a matter of constant and competent vigilance.

It would, however, entail critical legislation because it might run in conflict with current data privacy laws, the telco source said, but that’s what it would take to really secure the communications not just of the military but of all Filipinos.

“Rather than a contract. What’s a contract, right? It’s ink on paper. How can that protect you?”

https://www.rappler.com/newsbreak/in-depth/244602-conclusion-experts-warn-spying-risk-military-contract-china-backed-telco

No comments:

Post a Comment

Note: Only a member of this blog may post a comment.