No gov’t inspection of NGCP equipment from China

Metro Manila (CNN Philippines, May 22) — The Department of Information and Communications Technology (DICT) did not inspect the China-made equipment of the National Grid Corporation of the Philippines (NGCP) in its substations — a revelation that shocked lawmakers on Monday.

During the Senate’s hearing on bills concerning e-governance and cybersecurity, Senator Raffy Tulfo raised the issue on the State Grid Corporation of China’s 40% stake in NGCP, as well as machines bought from China.

Tulfo, chairman of the Committee on Energy, said he received information that a computer virus could be planted in hardware sold by a country to another state.

“Itong hardware na ito pag nainput sa target nila na bansa, with a push button, kaya nang paandarin yung virus,” Tulfo said.

“It’s really, really very dangerous na yung NGCP natin yung mga equipment doon halos lahat made in China and in Chinese characters,” he added.

[Translation: When this hardware is inputted in a target country, the virus can be activated with the push of a button. It’s really, really very dangerous that almost all equipment in the NGCP are made in China and bearing Chinese characters.]

DICT Undersecretary David Almirol, Jr. said Tulfo’s statement is “very possible.”

“We don’t even know na pagdating ng equipment dito, na may listener pala yan. Meron na palang nakatanim na listener. Hindi siya naghahack pero every time na nagpapasok ka ng data, dumadaan, kinukuha rin niya,” Almirol said.

[Translation: We don't even know if the equipment has a listening device. It won't hack your system but will obtain all the data you input.]

He said the DICT should be doing a “technical deep audit,” but admits this is not being done to date.

"Actually tama po dapat sana before magdala ng equipment dapat magkaroon ng technical deep audit which I don’t believe that we're doing that," Almirol said.

DICT Assistant Secretary for Legal Affairs Renato Paraiso explained there used to be a Medium-Term Information and Communications Technology Harmonization Initiative or MITHI protocol, which requires all government agencies to submit procured technologies and hardwares for inspection and auditing by the then Information and Communications Technology Office.

The DICT wants this process to be included in the e-government law.

The Anti-Red Tape Authority, for its part, said it is the NGCP, a private consortium that checks the equipment through a “grid integrity test.”

But Senator Alan Peter Cayetano, chairman of the Committee on Science and Technology, said the DICT and ARTA should work together to promote security while preventing bureaucratic red tape.

“Taking that statement alone that they can bring in any equipment at ikabit na walang cybersecurity expert o walang DICT or NTC supervision, is parang inviting someone na ito bangko ko, tingan mo kung manakawan mo kami,” Cayetano said.

[Translation: Taking that statement alone that they can bring in any equipment without the supervision of a cybersecurity expert, DICT, or the National Telecommunications Commission is like inviting someone to rob your own bank.]

The NGCP earlier dismissed security concerns, saying its substations are all manned by Filipinos and China's involvement stops with the SGCC's membership in the board to represent its shareholdings.