1676932465 CNI issues guidelines to avoid another Pegasus case on government

CNI issues guidelines to avoid another “Pegasus case” on government phones

The President of the Government, Pedro Sánchez, speaks on his mobile phone, in an image file.Government President Pedro Sánchez speaks on his mobile phone in an image file.Portal

The National Intelligence Center (CNI) recently sent key government agencies and institutions a document outlining mandatory security guidelines to protect the cellphones of high-level administrative and government officials through which “secret information” circulates. sensitive information”. The document, which has limited dissemination and to which EL PAÍS had access, indicates that the aim is to ensure that the terminals “are resistant to the various threats that could affect the security of the information processed or of the system itself, such as B. Spyware attacks”, of which he cites as an example Pegasus, the program of Israeli origin that infected the mobile phones of Pedro Sánchez and three of his ministers, Interior Minister Fernando Grande-Marlaska; Defense, Margarita Robles and Agriculture, Luis Planas.

Spanish Defense Minister Margarita Robles listens to the military anthem in Ronda Photo: Portal | Video: EPV

The intelligence agency’s initiative comes exactly 10 months after the executive branch made public that the phones of these four government officials had been hacked in May 2021. The incident has since been investigated by National Court Judge José Luis Calama for a possible crime of discovery and disclosure of secrets. The 13-page CNI policy document, dated this month, was produced by the National Cryptological Center (CNN), a Secret Service-dependent organization whose responsibilities include “the security of government information technologies.” , store or transmit information in electronic format” that “requires protection and includes means of encryption”. The CCN creates cybersecurity standards, trains staff and certifies the reliability of technology used in government.

In this sense, the document focuses on telephone terminals, which it designates as “the most critical component”, since it is the one most exposed to the threats arising from the loss, theft or tampering of the device on the one hand, and on the other hand to exposure to direct connection to insecure networks,” among which he cites the Wi-Fi networks of “airports, cafeterias, hotels, etc.” The document reminds senior officials and government officials that they are required to use only “approved and properly configured mobile devices” — that is, previously approved by CCN experts — in accordance with the standards set out in an instruction prepared by the service itself are included. secret and named CCN-STIC-496, which was released in April 2021, just before the infections on government officials’ cellphones took place.

The secret service emphasizes that high-ranking officials in the administration may only use the devices known as COBOs (Corporate Owned Business Only) for their official communication, which are made available to the user by the administration itself to carry out their tasks. “The user may not use the company mobile device for private purposes,” emphasizes the document. These terminals have their communication “restricted” and can only contact other management phones that are part of the secure network. They are also prevented from automatically updating the operating system or downloading commercial applications “because of the high risk that both connections entail”.

The document from the National Cryptological Center analyzes the opportunities and risks of “the use of 5G technology for state use”, which it warns that although it “offers new opportunities in terms of security and protection of communications”, in Currently, the evaluation and certification of these supposed advantages is “very complex, not mature and not to be expected in the short term”, which is why it is initially in favor of retaining “classic measures”. For this reason, it repeatedly emphasizes that the use of “reliable and truthfully evaluated and certified” terminals remains the key to maintaining the confidentiality of communications, but admits that this is not enough. And it underscores the need to take other measures, such as using “a non-commercial operating system” with the goal “that all communications reach the organization through a tunnel.” [término con el que se refiere al Gobierno y otras instituciones del Estado] to be able to access the various services, preventing any direct access from the terminal to the Internet and vice versa”.

What affects most is what happens closer. Subscribe so you don’t miss anything.

subscribe to

In fact, the experts emphasize that the Internet connections made by these phones are made “through a secure connection zone controlled by the organization”, making it “much easier to monitor possible leaks of sensitive information” or to detect abnormal operation of the terminal that is a symptom of the latter. In this sense, the new security policy states that all phones of the country’s high institutions must use only a firewall (a firewall, a security system that restricts Internet traffic coming or going or within a private network) of the “organization” and not others who be marketed. The goal is to prevent a security breach that would allow potentially dangerous programs like Pegasus to intrude.

The directive recalls that “secure mobile communications applications” that encrypt information – in terms of instant messaging applications such as Telegram or Signal – on visa-free phones “do not by themselves provide protection against spyware programs”, nor does the end device to protect “against other types of attacks” such as B. “malicious modification of other applications” already installed on the device. Therefore, it prohibits its use for transmitting sensitive information.

Subscribe to continue reading

Read without limits