Investigation Demanded Over China's Alleged Btc 'Spying'

A "serious investigation" was demanded yesterday into allegations that China has exploited the Bahamas Telecommunications Company's (BTC) mobile phone network to spy on US citizens.

BTC, which is 49 percent owned by the Government, told Tribune Business in a statement it was "carefully reviewing" claims - first published in the Guardian newspaper in the UK - that state-owned Chinese communications providers had used its systems to conduct surveillance on Americans roaming on their mobile phones in The Bahamas.

"Across all the markets where Cable & Wireless Communications (CWC) operates, including The Bahamas, we continuously monitor our networks and have robust security policies and protocols in place to protect the data of our customers. We take our commitment to data protection seriously, and are carefully reviewing the information in the Guardian article," BTC said.

Other CWC subsidiaries in the Caribbean, especially Barbados, were also identified as major sources of these alleged breaches which - if true - have huge national security and economic implications for The Bahamas, as well as its ability to safeguard the personal data and civil liberties of both its own citizens and US visitors that make up 85 percent of its tourism market.

The assertion that major security vulnerabilities exist in the Bahamian telecommunications system was based on a report by Gary Miller, a US former mobile network security executive, who was said by the UK Guardian to have "spent years analysing mobile threat intelligence reports, and observations of signalling traffic between foreign and US mobile operators".

Miller and his business, Exigent Media, a cyber threat research firm, have published two reports that detail how BTC's mobile phone system was purportedly used in a "co-ordinated attack" on US cellular phone numbers by Chinese state-owned mobile providers.

The first report, Far from home - active foreign surveillance of US mobile users, argued that international roaming - the practice whereby Bahamians use a foreign carrier's network for communications services overseas, just as Americans use BTC and Aliv's systems when they are in this nation - has enabled "covert foreign surveillance" of mobile users.

It explained that hostile actors can exploit this to send signalling messages to Americans' mobile phones while they are in The Bahamas and other countries without alerting the user. While these SS7 signals can legitimately be used by operators to locate mobile users, connect calls and assess roaming fees, Mr Miller's report argued that they can also be deployed for illicit purposes.

He added that most such intrusions were intended to trace the mobile user's location, but they could also extend to monitoring and covert surveillance once the phone's "network identity" and number are obtained. Such information can be exploited to "purge" a user from their mobile network, and ultimately take over all communications they send and receive.

While The Bahamas and BTC accounted for just 0.34 percent and 0.35 percent of country and operator "attacks", respectively, in 2019, both were singled out for special mention due to their unwitting alleged involvement in a series of "co-ordinated" raids on several US phone numbers in 2018 and 2019.

"Attacks are co-ordinated between foreign country networks," the report asserted. "In 2018, China, Barbados and The Bahamas networks were observed attacking the same mobile users with similar techniques. Likewise, attacks from China, Palestine, The Bahamas and Panama networks were also observed, indicating network selling for conducting intelligence operations.....

"A cluster of attacks was discovered targeting a group of US phones from networks including China Unicom, Cable & Wireless (Flow) Barbados and BTC. The attacks against these phones indicated co-ordination between the operators.

"This could be achieved by China acquiring network addresses from these two Caribbean operators, allowing China to originate attacks, both of which are partially owned by the same parent company, CWC." One US mobile was purportedly subject to 87 such "attacks" via BTC's network, while two other users saw some 14 and 12 intrusion attempts, respectively.

State-owned Chinese providers, China Mobile and China Unicom, were identified as the major source of these so-called "attacks", with the report speculating that BTC and other Caribbean communications providers may have unwittingly aided them by selling or leasing network addresses to Beijing-controlled entities.

Both Marvin Dames, minister of national security, and Dionisio D'Aguilar, minister of tourism and aviation, both said they were unaware of the allegations and declined to comment when approached for comment by Tribune Business yesterday.

Ricardo Thompson, president of the Bahamas Communications and Public Managers Union (BCPMU), which represents BTC's line staff, argued that the matter warranted "serious investigation" to determine whether the report's findings and accusations were true.

"We should definitely be very concerned. I'm sure we should be very concerned," he told Tribune Business. "We'll have to look into the matter. That calls for some serious investigation if that is what has been happening. I'm surprised this sort of thing has not been picked up in the network. Some things you look for, other things you don't.

"I think we definitely should be very concerned about it. When you think about national security, if it has happened for a second time with another international interference, this is really cause for concern."

The "second time" reference by Mr Thompson alludes to claims made in 2014 by National Security Agency (NSA) whistleblower, Edward Snowden, that the US was intercepting almost every mobile call made in The Bahamas via a spying/surveillance initiative called SOMALGET.

BTC, as the then-monopoly provider, said it would investigate the allegations but asserted that "no such activity is ongoing". The then-Christie administration promised to take the matter up with US officials, but the outcome was seemingly inconclusive.

Some in the Bahamian communications industry, though, were more cautious and sceptical of both the Miller report and the Guardian article. "The whole thing is odd," one source, speaking on condition of anonymity, said. "It's so speculative, the whole article. I'd have to look into it a lot more. As someone who understands telecommunications and how it works, it doesn't make sense to me."

Meanwhile, Damian Blackburn, top executive at Aliv, BTC's mobile rival which wasn't mentioned in the report, declined to comment beyond saying: "We take the appropriate measures to keep our customers' data as safe as possible."

The assertions, if true, threaten to drag The Bahamas into the US-China global geopolitical struggle at the worst possible time with the economy struggling to recover from COVID-19. There has been much speculation, none confirmed, that one factor driving the US embassy's relocation is the nearby presence of state-owned China Construction America (CCA) at the Hilton and Pointe.

It also badly timed from the perspective that The Bahamas is moving to make greater inroads into the digital economy post-COVID-19, and secure and reliable communications will form the foundation for this venture. Tourism and financial services, the economy's existing 'twin pillars', rely heavily on their clients being able to roam and having security over their personal data and finances.

The affair may also reignite US pressure about the use of technology and equipment manufactured by Huawei, and other Chinese companies, in The Bahamas' mobile communications networks and elsewhere.

The US Embassy was recently prohibited from doing business with Bahamian companies that employ products made by Huawei and other firms, such as ZTE, Hikvision, Hytera, Dhaka and their subsidiaries and affiliates, due to their purported close ties to the Chinese Communist Party.

Bernard Evans, the former Bahamas Communications and Public Officers Union (BCPOU) president, yesterday voiced concern that The Bahamas was "somewhat being used as a pawn" in the battle between the world's major powers due to its dependency on outside communications technology.

Acknowledging that Bahamian civil liberties, as well as those of its visitors, were under potential threat, he added: "It's very, very alarming if our tourists are coming here, and 85 percent of them come from the US, and they can't use their phones for leisure and business without their data being captured by a foreign entity.

"Obviously, from a tourism and business perspective it's very disheartening and very concerning that we can't guarantee those coming here are protected in using their phones leisure and business wise."