The revelation by the Government that the cell phones of Pedro Sánchez and Margarita Robles were hacked by the Pegasus espionage software in May and June 2021 has put the National Intelligence Center (CNI) in the spotlight. How is it possible that a whole year passed from the attack until it was discovered? It has been one of the most repeated questions in the press conference after the Council of Ministers on Tuesday. “These things happen. We reinforce our capacities every day. The protocols have been followed, with the means that have been available at all times,” responded the spokesperson, Isabel Rodríguez.
Rodríguez reiterated this idea on more occasions. “During this year the protocols are followed, they are updated, and it is surely that updating of means, resources and protocols that allows us to have accredited today the facts that we have made available to justice,” he replied when questioned.
The answer leaves the ball again in the court of Spanish intelligence and, more specifically, in that of the National Cryptologic Center. This body, attached to the CNI and therefore dependent on the Ministry of Defence, is in charge of cybersecurity for Spanish public administrations and “companies of strategic interest to the country”. Its acronym is CCN-CERT, with a surname that comes from the acronym in English of computer emergency response teamsince its attributions also include responding to any alert of attack or infection in the institutions.
The CCN was founded in 2006 and is one of the two main legs of the Spanish cybersecurity organizations. The other is the National Cybersecurity Institute (Incibe), which supports private companies and reports to the Ministry of Economic Affairs. They are joined by the cybernetic units of the police forces and other organizations such as the CNPIC, dependent on the Interior and head of the cybersecurity of critical infrastructures.
The Cryptologic Center is the body that has analyzed the cell phones of the president and the defense minister, discovering that they were infected by Pegasus a year ago. By extension, it is also the one that has not been able to detect it until now due to a lack of updating “means, resources and protocols”, as explained by the minister spokesperson on Tuesday.
The CNI has refused to comment on any issue relating to espionage. Also about the role or capabilities of the Cryptologic Center, which shares the opacity in which the center from which it hangs moves. The professionals who protect public institutions from cyber threats are almost as inaccessible as the former’s spies. Did the Pegasus attack catch you by surprise and out of date? Several sources from the cybersecurity industry contacted by this means and documents published by the Cryptologic Center itself cast doubt on it.
The CCN-CERT produces a good number of reports a year with cybersecurity recommendations for administrations, as well as threat analysis that are taken into account by the rest of the sector. Cyberespionage is one of the highest priorities of the agency’s work.
“It can be said that, at present, more than one hundred countries have the capacity to develop cyber espionage attacks and their specialization continues to grow, as does the threat they represent. This threat, used mainly by intelligence services, is addressed to both the public and private sectors”, Javier Candau, head of the CCN’s Cybersecurity department, warned in 2019.
When Sánchez and Robles were hacked by Pegasus, this espionage software was already a known archenemy of activists and journalists persecuted by authoritarian states. Its attacks have been recorded since 2017. In July 2020, the Citizen Lab revealed that this espionage software had been used in Spain in a way that had not been documented until then: it was found on the phones of public representatives of a democratic country. Pegasus had attacked the president of the Parliament of Catalonia, Roger Torrent, ERC and CUP deputies, members of the Government and independence activists.
Those revelations were the germ of the Citizen Lab report two weeks ago. In these two years of investigation, its analysts have found traces of the Pegasus attacks against 66 people from the Catalan and Basque pro-independence environment. They suspect there may be many more. The list of potential targets they handle is 1,483 telephones with a Spanish prefix (+34), citing sources familiar with the investigation.
Only a month after the president and the defense minister were attacked, it was revealed that the phones of at least 12 heads of government, including the French, Emmanuel Macron, were listed as targets of Pegasus. The same software infected military and political officials in 34 states.
Just after learning of these attacks, the CCN sent a report to public administrations warning of the risk of Pegasus, as revealed by El País. It was titled Pegasus software detection on iPhone devices, which are the ones used by senior government officials. “Among its victims could be high officials of many governments, politicians, journalists or very relevant figures in other areas,” warned the CCN.
“The CCN is up to date; where it does not have the maximum capabilities, they pull cybersecurity companies, at least national ones, to complement their capabilities,” explains the cybersecurity manager of a multinational company who asks not to be identified. elDiario.es has contacted several specialists and they all share this opinion about the professionals of the Cryptologic Center and the capacities of the organization.
“Taking the US as a top reference in cybersecurity, we would be 3-4 places below,” says this expert. It is not just a personal opinion, since that is also the position that the International Telecommunications Union (dependent on the United Nations) gives Spain in its latest Global Cybersecurity Index, one of the reference reports in the sector. Spain is fourth, behind the US, UK and Saudi Arabia and with the same score as Singapore and South Korea. Among its strengths, the development of capacities and technical measures stand out. The only aspect to improve is the organization.
“The capabilities of the CCN are good. I personally know some of the professionals who work there and they are the best there is, not only nationally but also internationally. The only thing that can limit them a bit is the resources they have” , exposes another senior official of a cybersecurity company with a presence in dozens of countries.
This expert recalls that the cybersecurity sector is characterized by its constant updating and the knowledge that is shared between different companies and institutions. “Here no one can do their job on their own. Not to protect administrations, critical infrastructures, companies or users. No one can do it alone. There are such a number of threats, the number of incidents that are recorded every day, that decades ago the industry learned that information has to be shared”.
This expert also doubts that it is a lack of updating of the CCN that has caused the delay in detecting the attack against Sánchez and Robles. Instead, it exposes another possible cause: “Infections with Pegasus are detected by doing a forensic analysis of the mobile. If there are no indications that it has been compromised, forensics are not done, since it is most likely that the mobile is no longer can reuse. And the most advisable too”.