The CNI gives guidelines to avoid another 'Pegasus case' on government phones

The President of the Government, Pedro Sánchez, speaks on his mobile phone, in a file image.Reuters

The National Intelligence Center (CNI) has recently sent to the main State agencies and institutions a document with mandatory security guidelines to shield the mobile phones of senior Administration and Government officials through whom "classified information" circulates. national” and, in general, “sensitive information”.

The document, of limited dissemination and to which EL PAÍS has had access, indicates that the objective is to ensure that the terminals are "resistant to the different threats that may affect the security of the information processed or the system itself, such as

attacks

spy”, of which he gives as an example Pegasus, the program of Israeli origin used to infect the mobile phones of Pedro Sánchez and three of his ministers, the head of the Interior, Fernando Grande-Marlaska;

Defense, Margarita Robles, and Agriculture, Luis Planas.

04:59

How does Pegasus work?

Spanish Defense Minister Margarita Robles listens to the military anthem in Ronda. Photo: Reuters |

Video: EPV

The initiative of the secret service occurs precisely 10 months after the Executive made public that, in May 2021, there had been an intrusion into the phones of these four members of the Government.

The event has been investigated since then by the judge of the National Court José Luis Calama for a possible crime of discovery and disclosure of secrets.

The CNI document with the guidelines, dated this month and 13 pages long, has been prepared by the National Cryptological Center (CNN), an organization dependent on the secret service and among whose functions is "the security of information technologies of the Administration that process, store or transmit information in electronic format” that “requires protection and includes means of encryption”.

The CCN prepares cybersecurity standards,

Along these lines, the document focuses on telephone terminals, which it qualifies as "the most critical component as it is the most exposed to threats derived from, on the one hand, the loss, theft or manipulation of the device and, on the other hand, , to exposure from direct connection to insecure networks”, among which he cites the Wi-Fi networks of “airports, cafeterias, hotels, etc.”.

The document reminds senior officials and members of the Government that they are obliged to exclusively use "approved and correctly configured mobile devices" - that is, previously approved by CCN experts - in accordance with the standards contained in an instruction prepared by the service itself. secret and called CCN-STIC-496, which was published in April 2021, shortly before, precisely,

The secret service emphasizes that high-ranking officials of the Administration must use for their official communications only the terminals called COBOs (Corporate Owned Business Only), made available to the user by the administration itself for the performance of their duties.

"The user may not use the corporate mobile device for personal purposes," the document emphasizes.

These terminals have their communications “restricted” and can only contact other administration telephones that are part of the secure network.

They are also blocked from making automatic updates to the operating system or downloading commercial applications "because of the high risk that both connections entail."

The document from the National Cryptological Center analyzes the possibilities and risks of the "use of 5G technology for government use", about which it warns that, although it "offers new possibilities with regard to the security and protection of communications", in these Currently, the evaluation and certification of these supposed advantages "is very complex, it is not mature and it is not expected to be so in the short term", for which reason it is committed to maintaining "classic measures" for now.

For this reason, it emphasizes on several occasions that the use of terminals "reliably and truthfully evaluated and certified" continues to be key to ensuring the confidentiality of communications, although it admits that it is not enough.

And stresses the need for other measures,

to the organization [term used to refer to the Government and other State institutions] to access the different services, thus preventing any direct access to the Internet from the terminal and vice versa”.

In fact, the experts emphasize that the Internet connections made from these phones are made "through a secure interconnection zone controlled by the organization" so that it is "much easier to monitor" possible leaks of sensitive information or detect a abnormal operation of the terminal that is a symptom of the latter.

Along these lines, the new security directive states that all the telephones of the country's high institutions must exclusively use a

(a firewall, a security system that restricts incoming or outgoing Internet traffic or within a private network) of the "organization" and not others that are marketed.

The goal is to prevent a security breach that would allow potentially dangerous programs such as Pegasus to enter.

The guideline recalls that "applications for secure mobile communications" that encrypt information - in reference to instant messaging applications such as Telegram or Signal - on phones that have not

been visaed "do not by themselves provide any protection against spyware

”, in addition to not protecting the terminal “against other types of attacks”, such as “malicious modification of other applications” already installed on the device.

Therefore, it prohibits its use for the transmission of sensitive information.

Subscribe to continue reading

Read without limits

Keep reading

I'm already a subscriber