Connect with us


Myanmar’s Military Deploys Digital Arsenal of Repression in Crackdown

Mish Boyka



Myanmar’s Military Deploys Digital Arsenal of Repression in Crackdown

During a half century of military rule, Myanmar’s totalitarian tools were crude but effective. Men in sarongs shadowed democracy activists, neighbors informed on each other and thugs brandished lead pipes.

The generals, who staged a coup a month ago, are now back in charge with a far more sophisticated arsenal at their disposal: Israeli-made surveillance drones, European iPhone cracking devices and American software that can hack into computers and vacuum up their contents.

Some of this technology, including satellite and telecommunications upgrades, helped people in Myanmar go online and integrate with the world after decades of isolation. Other systems, such as spyware, were sold as integral to modernizing law enforcement agencies.

But critics say a ruthless armed forces, which maintained a dominance over the economy and powerful ministries even as it briefly shared power with a civilian government, used the facade of democracy to enable sensitive cybersecurity and defense purchases.

Some of these “dual-use” technologies, tools of both legitimate law enforcement and repression, are being deployed by the Tatmadaw, as the Myanmar military is known, to target opponents of the Feb. 1 coup — a practice that echoes actions taken against critics by China, Saudi Arabia, Mexico and other governments.

In Myanmar, they are the digital weapons for an intensifying campaign in which security forces have killed at least 25 people and detained more than 1,100, including the ousted civilian leader, Daw Aung San Suu Kyi. On Monday, she was hit with new criminal charges — making a statement that could alarm the public and inducing someone to act against the state — that could put her in prison for years.

“The military is now using those very tools to brutally crack down on peaceful protesters risking their lives to resist the military junta and restore democracy,” said Ma Yadanar Maung, a spokeswoman for Justice For Myanmar, a group that monitors the Tatmadaw’s abuses.

Hundreds of pages of Myanmar government budgets for the last two fiscal years viewed by GFN show a voracious appetite for the latest in military-grade surveillance technology.

The documents, provided by Justice For Myanmar, catalog tens of millions of dollars earmarked for technology that can mine phones and computers, as well as track people’s live locations and listen in to their conversations. Two parliamentary budget committee members, who requested anonymity given the sensitive political climate, said these proposed budgets for the Ministry of Home Affairs and Ministry of Transport and Communications reflected actual purchases.

The budgets detail companies and the functionality of their tools. In some instances, they specify the proposed uses, like combating “money laundering” or investigating “cybercrime.”

“What you see the Myanmar military putting together is a comprehensive suite of cybersecurity and forensics,” said Ian Foxley, a researcher at the Center for Applied Human Rights at the University of York. “A lot of this is electronic warfare capability stuff.”

The assembly of Myanmar’s modern surveillance state has depended partly on patrons like China and Russia that have few qualms about equipping authoritarians. It has also relied on Western companies that saw the country’s five years of hybrid civilian-military rule as an opening, legally and politically, to build a frontier market in what appeared to be a nascent democracy.

Beginning in 2016, the Tatmadaw handed some authority to a civilian government led by Ms. Aung San Suu Kyi’s National League for Democracy, which won two landslide electoral mandates. Despite inching toward democracy, the military maintained significant control over spending, particularly for defense, law enforcement and other security affairs.

The documents indicate that dual-use surveillance technology made by Israeli, American and European companies made its way to Myanmar, despite many of their home governments banning such exports after the military’s brutal expulsion of Rohingya Muslims in 2017.

Even in countries that didn’t officially block such trade, many Western purveyors had clauses in their corporate guidelines barring their technology from being used to abuse human rights.

In the most egregious cases, firms supplied surveillance tools and weaponry to the military and the ministries it controlled, evading arms embargoes and export bans. In others, they continued to sell dual-use technology without conducting due diligence about how it might be used and who might use it.

Often, they depended on military-linked brokers who thrive in the shadowy interstices, allowing the Tatmadaw to acquire the tools of oppression indirectly from foreign companies.

Hardware that was sold to the police to catch criminals is being used to track opponents of the coup online and offline.

Documentation for post-coup arrest warrants, which were reviewed by The Times, shows that Myanmar’s security forces have triangulated between their critics’ social media posts and the individual addresses of their internet hookups to find where they live. Such detective work could only have been carried out by using specialized foreign technology, according to experts with knowledge of Myanmar’s surveillance infrastructure.

“Even under a civilian government, there was little oversight of the military’s expenditure for surveillance technology,” said Ko Nay Yan Oo, a former fellow at the Pacific Forum of the Center for Strategic and International Studies who has studied the Myanmar military. “Now we are under military rule, and they can do everything they want.”

One particularly large section of the budget allocations covers the latest ware for phone-cracking and computer-hacking. Those systems are usually designed for use by militaries and police forces, and many international export bans include such technology.

The 2020-2021 Ministry of Home Affairs budget allocations include units from MSAB, a Swedish company that supplies forensic data tools for militaries around the world. These MSAB field units can download the contents of mobile devices and recover deleted items, according to notations in the budget.

Henrik Tjernberg, the chairman of MSAB, said that some of the company’s “legacy technology” had ended up in Myanmar a few years ago, but it no longer sold equipment there because of a European Union export ban on dual-use products that can be used for domestic repression. Mr. Tjernberg did not answer questions about how his products ended up in the latest budget.

U Thein Tan, another member of the parliamentary budget committee, said that fellow lawmakers felt uncomfortable with all the spyware in the budgets but that questioning anything to do with the security services was taboo for civilian politicians.

“To be honest, we did suspect that they were using the technological devices for bad purposes, like surveillance of the people,” said Mr. Thein Tan. “But the problem is we don’t know what kind of technological devices these would be because we lack knowledge of the technology.”

International scrutiny has made a difference. Last year, MSAB and Cellebrite, among other Western cyber-surveillance firms, pulled out of Hong Kong, where the police used phone hacking technology to monitor democracy activists.

In Myanmar, the latest budget also included MacQuisition forensic software designed to extract and collect data from Apple computers. The software is made by BlackBag Technologies, an American company that was bought last year by Cellebrite of Israel. Both companies also make other sophisticated tools to infiltrate locked or encrypted devices and suck out their data, including location-tracking information.

A spokeswoman for the company said that Cellebrite stopped selling to Myanmar in 2018 and that BlackBag had not sold to the country since it was acquired last year. The company, she said, does not sell to countries sanctioned by the United States, European Union, Britain or Israel.

“In the extremely rare case when our technology is used in a manner that does not meet international law or does not comply with Cellebrite’s values, we immediately flag these licenses for nonrenewal and do not provide software updates,” the spokeswoman said.

Cellebrite hardware and software have been used by the police to secure evidence in court cases, according to U Khin Maung Zaw, one of Myanmar’s top human-rights lawyers who is representing Ms. Aung San Suu Kyi, the ousted civilian leader.

The technology was presented as central to the 2018 trial of two Reuters reporters who uncovered evidence of a Rohingya massacre the year before. Mr. Khin Maung Zaw represented the two journalists.

In court documents, the police said they had gathered data from the detained reporters’ phones using Cellebrite forensic technology. The data helped convict the reporters, in what human rights groups have said were politically motivated cases.

Cellebrite said that after the Reuters’ case was publicized, “these licenses were unequivocally not renewed.” The company now has the ability to remotely suspend the licenses, essentially erasing the software from its machinery and rendering the devices useless.

Mr. Khin Maung Zaw, the human rights lawyer, said that the police again presented Cellebrite evidence in trials he worked on in 2019 and 2020. The cases related to a section in the telecommunications law on online defamation, which human rights groups say is used to criminalize dissent.

“The cybersecurity department is still using that technology,” Mr. Khin Maung Zaw said. “To my knowledge, they use Cellebrite to scan and recover data from cellphones.”

In many instances, governments do not buy military-grade technology directly from the companies that make them but instead go through middlemen. The intermediaries often cloak their intentions behind business registrations for education, construction or technology companies, even as they post photographs on social media of foreign weaponry or signing ceremonies with generals.

Middlemen can give Western companies distance from dealing face-to-face with dictators. But international embargoes and dual-use bans still hold tech firms liable for the end users of their products, even if resellers make the deals.

One of the most prominent surveillance technology middlemen in Myanmar is Dr. Kyaw Kyaw Htun, a Myanmar national who studied at a Russian university and Myanmar’s Defense Services Technological Academy, the military’s elite training ground. Many of the top employees at MySpace International and other firms he founded share the same educational pedigree.

His connections were extensive. At defense procurement fairs, Dr. Kyaw Kyaw Htun showed off Western spyware to crowds of men in uniform, and he boasted on social media about hosting an American defense manufacturer in Myanmar. MySpace International is listed on the website of a Czech defense and laboratory equipment maker as a “partner.”

Dr. Kyaw Kyaw Htun’s wife is the daughter of a high-ranking Tatmadaw officer who served as ambassador to Russia. She is named as the Myanmar agent for a Russian stun gun maker.

The two people with knowledge of police procurements said that Dr. Kyaw Kyaw Htun’s companies supply most of the imported Western surveillance technology for the Myanmar police. A list of successful recent tenders from the Ministry of Home Affairs includes MySpace International, and the company’s website had the Ministry of Defense among its clients.

The website also had a section on digital forensic technology that cited MSAB, BlackBag and Cellebrite among its “main suppliers,” with extensive descriptions of each firm’s offerings.

Dr. Kyaw Kyaw Htun declined to speak with The Times.

“We are not a big company,” said Ko Tet Toe Lynn, the assistant general manager for MySpace International. He would not answer questions about what products the company resells, saying there were too many to remember.

Cellebrite said that neither it nor BlackBag was “affiliated” with four of Dr. Kyaw Kyaw Htun’s companies, including MySpace International. The Israeli firm did not say who its reseller in Myanmar was.

The day after The Times posed extensive questions about the relationship between MySpace International and Cellebrite, the entire MySpace International website was taken down.

While some imported surveillance equipment is considered dual-use, other technology is clearly meant for military purposes. International arms embargoes prohibit such systems from being exported to Myanmar.

By 2018, Israel had essentially blocked military exports to Myanmar, after it emerged that Israeli weaponry was being sold to an army accused of genocidal actions against the Rohingya ethnic minority. The embargo extends to spare parts.

Two years later, Myanmar Future Science, a company that calls itself an educational and teaching aid supplier, signed paperwork reviewed by The Times agreeing to service military-grade surveillance drones made by Elbit Systems, an Israeli arms manufacturer. Senior Gen. Min Aung Hlaing, the Tatmadaw chief who led the coup last month, visited Elbit’s offices during a 2015 trip to Israel.

The company’s drones have been connected to ongoing conflicts in Myanmar. Last year, an ethnic armed group fighting the Tatmadaw in far western Rakhine State said it had seized an Elbit drone that had been flying over a battle zone.

U Kyi Thar, the chief executive of Myanmar Future Science, confirmed that his company began the repair work on the drones in late 2019 and continued into 2020.

“We ordered the spare parts from the Israeli company called Elbit because they have good quality and Elbit is well-known,” Mr. Kyi Thar said.

A spokesman for Elbit said that it has had no dealings with Myanmar since 2015 or 2016.

“Myanmar’s military is very closed, and Israel is very closed,” said Siemon Wezeman, a senior researcher with the arms and military expenditure program at the Stockholm International Peace Research Institute. “Who knows what happens inside there?”

Despite the export ban, Israeli defense technology continues to turn up in unexpected places.

On Feb. 1, the day of the coup, military experts were surprised to see armored vehicles made by Gaia Automotive Industries, an Israeli manufacturer, rolling through Naypyidaw, the capital. The experts, including Mr. Wezeman and a person familiar with Myanmar’s defense procurements, said the vehicles used in the coup featured Gaia’s distinctive hood handles, air inlets and headlight settings.

The vehicles did not go into mass production until after the Israeli ban on military exports.

Shlomi Shraga, the head of Gaia Automotive, said that he had not seen any photos of the company’s vehicles cruising through the Myanmar capital during the coup. He stressed that all his exports had the requisite licenses from Israel’s Ministry of Defense.

“Let’s hope that the people of Myanmar live in peace and under a democratic regime,” Mr. Shraga said.


Vermont Health Connect had 10 data breaches last winter





Vermont Health Connect had 10 data breaches last winter
Vermont Health Connect has set up a special enrollment period in response to the coronavirus outbreak. VHC photo

In mid-December, a Vermont Health Connect user was logging in when the names of two strangers popped up in the newly created account.

The individual, who was trying to sign up for health insurance, deleted the information that had suddenly appeared.

“It was super unsettling to think that someone is filing in my account with my information,” the person, whose name is redacted in records, wrote in a complaint to the Department of Vermont Health Access. “Just seems like the whole thing needs a big overhaul.”

It was one of 10 instances between November and February when Vermont Health Connect users reported logging to find someone else’s information on their account.

The data breaches included names of other applicants and, in some cases, their children’s names, birth dates, citizenship information, annual income, health care plans, and once, the last four digits of a Social Security number, according to nearly 900 pages of public records obtained by VTDigger. On Dec. 22, the department’s staff shut down the site to try to diagnose the problem.

While officials say the glitches have been resolved, it’s the most recent mishap for a system that has historically been plagued by security and technical issues. The breaches could be even more widespread: Administrators of Vermont Health Connect can’t tell if other, similar breaches went unreported.

“We don’t know what we don’t know,” said Jon Rajewski, a managing director at the cybersecurity response company Stroz Friedberg. Regardless of whether there are legal ramifications for the incidents, they should be taken “very seriously,” he said.

“If my data was being stored on a website that was personal, — maybe it contains names or my Social Security number, like my status of insurance… — I would expect that website to secure it and keep it safe,” he said.

“I wouldn’t want someone else to access my personal information.”

Andrea De La Bruere, executive director of the Agency of Human Services, called the data breaches “unfortunate.” But she downplayed the severity of the issues. Between November and December, 75,000 people visited the Vermont Health Connect website for a total of 330,000 page views, she said. The 10 incidents? “It’s a very uncommon thing to have happen,” she said.

De La Bruere said the issue was fixed on Feb. 17, and users had reported no similar problems since. The information that was shared was not protected health information, she added, and the breaches didn’t violate the Health Insurance Portability and Accountability Act, or HIPAA.

“No matter what the law says technically, whether it’s HIPAA-related or just one’s personal information, it’s really concerning,” said Health Care Advocate Mike Fisher.

The timing of the issue is less than ideal, he added. Thousands of Vermonters will be logging into Vermont Health Connect in the coming weeks to take advantage of discounts granted by the American Rescue Plan. “It’s super important that people can access the system, and that it’s safe and secure,” Fisher said.

A ‘major issue

The issues first arose on Nov, 12, when at least two Vermonters logged in and found information about another user, according to records obtained by VTDigger.

Department of Vermont Health Access workers flagged it as a “major issue” for their boss, Kristine Fortier, a business application support specialist for the department.

Similar incidents also occurred on Nov. 17 and 18, and later on multiple days in December.

Department of Vermont Health Access staff members appeared alarmed at the issues, and IT staff escalated the tickets to “URGENT.”

“YIKES,” wrote a staff member Brittney Richardson. While the people affected were notified, the data breaches were never made public.

State workers pressed OptumInsights, a national health care tech company that hosts and manages Vermont Health Connect, for answers. The state has contracted with the company since 2014. It has paid about $11 million a year for the past four years for maintenance and operations, with more added in “discretionary funds.”

Optum appeared unable to figure out the glitch. “It is hard to find root cause of issue,” wrote Yogi Singh, service delivery manager for Optum on Dec. 10. Optum representatives referred comments on the issues to the state.

By Dec. 14, Grant Steffens, IT manager for the department, raised the alarm. “I’m concerned on the growing number of these reports,” he wrote in an email to Optum.

The company halted the creation of new accounts on Dec, 14, and shut down the site entirely on Dec, 22 to install a temporary fix. “It’s a very complex interplay of many many pieces of software on the back end,” said Darin Prail, agency director of digital services. The complexity made it challenging to identify the problem, and to fix it without introducing any new issues, he said.

In spite of the fixes, a caller reported a similar incident on Jan. 13.

On Feb. 8, a mother logged in to find that she could see her daughter’s information. When she logged into her daughter’s account, the insurance information had been replaced by her own.

“Very weird,” the mother wrote in an emailed complaint.

Optum completed a permanent fix on Feb. 17, according to Prail. Vermont Health Connect has not had a problem since, he said.

Prail said the state had reported the issues to the Centers for Medicaid and Medicare Services as required, and had undergone a regular audit in February that had no findings. The state “persistently pressured Optum to determine the root cause and correct the issue expeditiously but at the same time, cautiously, so as to not introduce additional issues/problems,” he wrote in an email to VTDigger.

“We take reported issues like this very seriously,” he said.

A history of glitches

The state’s health exchange has been replete with problems, including significant security issues and privacy violations, since it was built in 2012 at a cost of $200 million.

The state fired its first contractor, CGI Technology Systems, in 2014. A subcontractor, Exeter, went out of business in 2015. Optum took over for CGI, and continued to provide maintenance and tech support for the system.

Don Turner
Don Turner, right, then the House minority leader, speaks in 2016 about the need to fix the state’s glitch-ridden Vermont Health Connect website. With him are Phil Scott, left, then the lieutenant governor, and Sen. Joe Benning. Photo by Erin Mansfield/VTDigger

In 2018, when Vermont Health Connect was less than 6 years old, a report dubbed the exchange outdated and “obsolete.”

Officials reported similar privacy breaches in 2013, when Vermonters saw other people’s information.

An auditor’s report in 2016 found a slew of cybersecurity flaws, and officials raised concerns again during a  2018 email breach.

It wasn’t the first time that Vermont Health Connect users had been able to view other people’s personal information. Three times since October 2019, individuals had logged in to see another individual’s insurance documents. Prail attributed those incidents to human error, not to system glitch; a staff member uploaded documents to the wrong site, he said.

In spite of the issues, Prail said he and other state officials have been happy with Optum. After years of technical challenges with Vermont Health Connect, “Optum has really picked up the ball and improved it and been running it pretty well,” he said.

Glitches are inevitable, he added, and Optum has addressed them quickly. “They took a really difficult-to-manage site and made it work pretty well,” he said. “Optum is generally quite responsive to any issues we have.”

“I find any privacy breach to be concerning,” said Scott Carbee, chief information security officer for the state. He noted that the state uses “hundreds of software systems.” “While the scope of the breaches can be mitigated, true prevention is a difficult task,” he wrote in an email to VTDigger.

Optum spokesperson Gwen Moore Holliday referred comments to the state, but said the company was “honored” to work with Vermont Health Connect “to support the health care needs of Vermont residents.”

Prail said the Agency of Human Services had no plans to halt its contract with the company. “I don’t have a complaint about Optum,” he said. “They took a really difficult-to-manage site and made it work pretty well.”

Don’t miss a thing. Sign up here to get VTDigger’s weekly email on Vermont hospitals, health care trends, insurance and state health care policy.

Help us get halfway to our Spring Drive goal. When we reach 1,5000 members, we will unlock a $10,000 match, plus 1,500 Vermont kids get a new book!

Filed under:

Health Care

Tags: data breaches, Optum, Vermont Health Connect

Katie Jickling

About Katie

Katie Jickling covers health care for VTDigger. She previously reported on Burlington city politics for Seven Days. She has freelanced and interned for half a dozen news organizations, including Vermont Public Radio, the Valley News, Northern Woodlands, Eating Well magazine and the Herald of Randolph. She is a graduate of Hamilton College and a native of Brookfield.