The National Cryptological Center (CCN) has prepared a “brief cybersecurity guide” for political parties with advice and guidelines to minimize, during the campaign for the May 28 elections, the risk of being victims of computer attacks and hacking campaigns. disinformation. In the document, distributed by the Central Electoral Board on the 11th and 78 pages long, the agency dependent on the National Intelligence Center (CNI) shows its concern about the fact that “a cyberattack on the computer systems of a political party , which results in the public disclosure of information stolen from computers, mobile phones or computer servers […] during an electoral campaign or in the day of reflection of the population summoned to the polls, can have a direct and significant impact on the electoral conduct of the voter”.

More information

The document stresses that, although “it is often thought that a serious cyber incident during an electoral process would be derived from a computer attack on the electoral results processing systems”, the elections can also be seriously conditioned by “a selectively measured cyber attack and directed against the computer systems of one or several political parties, in order to reveal sensitive information of political parties or their members, which is later misrepresented before public opinion.” This, he concludes, “can illegitimately and illegally condition democratic dynamics.”

To avoid this, the guide prepared by the CCN, to which EL PAÍS has had access, advises those responsible for the formations to adopt various control measures in access to their internal information, protection of their computer systems and mobile phones, and security in social media accounts. The document concludes with instructions on how formations should act if they detect that one of these incidents has occurred and so that they instruct their candidates and leaders in taking cyber protection measures on a day-to-day basis. However, it also stresses that this guide, which it describes as a “compilation of cybersecurity suggestions”, should not “replace the need” for parties to develop “their own information security management systems in a systematic and professional manner”. .

The preparation of this document was a recommendation that emerged a little over two years ago from the National Security Council (CSN, in charge of advising the President of the Government in emergency situations) after the police protocols launched in 2019 by the Interior to combat during the three electoral campaigns of that year the so-called fake news or hoaxes and protect the vote-counting computer system against a possible computer attack if “numerous cyber-incidents” were detected, all of them of low danger.

On that occasion, Fernando Grande-Marlaska’s department activated a hundred agents together with experts from other cybersecurity organizations to track social networks and the Internet in order to prevent these attacks and neutralize them, but did not directly implicate the parties despite that those documents already warned of “possible attacks against system actors”, in reference to the political formations and other organizations involved in the elections.

What affects the most is what happens closer. To not miss anything, subscribe. subscribe

The guide now disseminated among the parties intends that they become involved “in achieving cybersecurity of networks and computer systems as a guarantee factor in the fight against disinformation in the electoral field, given the importance that political parties have in our electoral system”. To do this, it raises the parties the need to “prepare in the best possible way to deal with hybrid threats [ciberataques y propaganda desestabilizadora] and reduce their vulnerabilities. In this sense, he proposes what he calls “a checklist” that allows them to know “what is being met and what should be met to guarantee a cybersecurity standard.” With this, he assures, “the parties will be less likely to be victimized in malicious disinformation schemes aimed at manipulating the Spanish population.”

The document focuses on the two “tactics” of cybercriminals that “accumulate the largest volume of computer incidents in the world and every year.” On the one hand, the entry into the teams taking advantage of “failures of software” and, on the other, “the manipulation of the behavior of the user of computer systems to lead them to carry out actions”, such as clicking on the link in a message they have received so that a computer virus infects the device. In this sense, the guide highlights that cyberattacks can actually be a succession of chained but independent actions, whose perpetrators have different motivations, from economic to ideological.

As an example, he describes a scenario in which a “first attacker” infects with a webshell (malicious program that allows a cybercriminal to gain unimpeded entry into a computer) which, in turn, allows a second to insert a virus trojan (which gives remote control from another computer) to rent it out to a third attacker who can inoculate a ransomware (which encrypts the data of a system to later request a ransom in exchange for releasing it) and that a fourth take control of the party’s sensitive information to sell it to a fifth interested in causing “an electoral incident in a country”, stresses the CCN . “This stolen and published information can in turn be misrepresented through disinformation techniques, with the aim of distorting the perception of parts of a voting community,” he adds.

For all these reasons, the CCN insists to the parties on the need to create “a cybersecurity ecosystem” on their most sensitive information, ranging from that which they receive from the State and which is subject to the Official Secrets Law or is classified as “confidential” or “limited dissemination” to that of a personal nature protected by the data protection law. To all of it, the guide asks to add part of the “internal information” of the parties themselves, among which includes that which includes in detail the “organizational processes and finances”, the one used to record “internal deliberations, strategies, plans , intentions or private conversations with third parties” or “surveys, prospective actions or methods of action”. It also asks to protect the content of emails sent or received in accounts of training and documentation that detail, precisely, “security and cybersecurity systems”, as well as those that show the technological systems used and the authentication credentials to access this sensitive information.

See also Lebanese banks suspend their strike at Mikati's request ‘Faraday cages’ for mobile phones The guide includes, in tables, eight “checklists” with a total of 51 measures that the CCN advises the parties to adopt to minimize the risk of being victims of cyberattacks. These range from encrypting the “sensitive” information that they store in their databases or that they send to creating passwords for access to the computer system “robust in form and length” —with more than 12 characters— that must be renewed after six months. About mobile phones highlights that, by accompanying “a person almost every hour of their days”, their protection is “a fundamental chapter”. To shield the abundant information contained in these devices, he recommends deactivating the geolocation that accompanies some applications, use more complex passwords than those usually included in these devices, disable notifications on the screen and prevent downloads of new applications without the approval of the party’s cybersecurity managers. It also recommends that, when face-to-face meetings are held in which confidential information is to be handled, attendees place their mobile phones in envelopes designed as Faraday cages (a container that prevents devices from emitting or receiving wireless signals) so that they remain incommunicado. and they cannot be hacked during the duration of the meeting. Regarding social networks, the CNI-dependent body advises against politicians using it to share sensitive information, both party and personal. “It’s a good idea to keep your contact list private and carefully screen friend requests from strangers,” he adds. Regarding instant messaging applications, such as WhatsApp, it proposes avoiding sending unencrypted documents or clicking on links and files received without first doing “a double verification of the identity and intention of the sender of the message.” The document insists that for cybersecurity measures to be successful, “zero trust” is required. In other words, the parties must assume that “there will be people outside the political party and with malicious intentions” who will try to access their information.