The world's smallest and most antiquated army is taking a step towards modernizing its cyber defenses.
Just ahead of the pre-Easter Holy Week for Catholics, Samsung announced that the Pontifical Swiss Guard (GSP) — the elite security force charged with protecting the Vatican and the Pope — is adopting the Knox Suite, a bundle of services for managing and securing mobile devices.
Strange as the fit might be, multilayered security is necessary for an organization whose long history includes plenty of targeted cyberattacks.
"Protecting the Vatican could be subtitled 'Mission Impossible,'" Approov CEO Ted Miracco says. "It's a high-profile target, with a vast array of sensitive information and valuable assets that make it attractive for cybercriminals, hackers, and other powerful groups opposing it."
Why the Vatican Needs Cybersecurity
In 2011, hacktivist group Anonymous carried out a 25-day-long cyber campaign against an unspecified target. The attack employed "around 10 to 15 skilled hackers," according to one report, but the victim was prepared. "All attacks on the application were blocked and logged by a Web application firewall." So, the attack proved unsuccessful.
Later reporting revealed the winning defender to be the Vatican. "It might sound strange for churches to be associated with technology," admits Bogdan Botezatu, director of threat research and reporting at Bitdefender, "but these institutions have long since made the technological leap."
In some sense, the Vatican's hand has been forced. In only the last few years, the papacy has been targeted by politically motivated and nation-state-level actors. There have been espionage campaigns carried out by China's TA416 in 2020 and other APTs and a website takedown by a Russian-aligned attacker late last year.
The Vatican's popularity as a punching bag among sophisticated APTs requires a degree of security on par with other nation-states, despite its size aligning more closely with large enterprises.
"It probably shares the same pain points with other organizations of similar size," Botezatu hypothesizes, but "it's still tasked with the protection of an iconic figure, so network, data, and device security should be a top concern."
However, when it comes to security, "the specific strategies and tactics may differ due to the unique context and challenges of the Vatican as a religious institution," Miracco says.
In general, though, "the same security principles apply everywhere." The Vatican would need sufficient endpoint security, he says, alongside network security, physical security, "and perhaps an underestimated angle: training and awareness in an organization that is not particularly technology savvy."
The Shortcomings of All-in-One MDM Solutions
Specifically, Samsung Knox will offer the Vatican and the Swiss Guard the following:
- Device enrollment for both IT admins and device users, enabling thousands of devices to be set up at once and configured easily;
- Allow system admins to remotely manage and monitor the location of every device used by the Pontifical Swiss Guard, and erase data in the event that a device is lost or stolen;
- And can be used to instantly share threat information across multiple devices, while patrol leaders are able to view where all members of the Pontifical Swiss Guard are deployed at any one time.
Something like Knox Suite may help the Swiss Guard with their cyber woes, but it isn't without its drawbacks — drawbacks that are, in some sense, endemic to mobile device management (MDM) across other organizations of its size and scope — such as integration, or patching.
Miracco thus expects that "rolling that out across a diverse organization will be challenging."
He continues, "The Vatican, by selecting Samsung Knox, believes they can restrict employee access to the use of dedicated compatible devices, however, it may not be fully compatible with other mobile devices used by the Vatican staff. This could potentially limit the effectiveness of the security solution and create additional complexity and management challenges."
Perhaps this is less of a hurdle in an army of 135 obedient soldiers, but "in general, in a world where bring-your-own device (BYOD) is common, this may no longer be feasible, especially for organizations with a large global employee base."
Botezatu echoes the point, from a supplier perspective. "The smartphone market is largely split between iOS and Android, with both operating systems limiting the integration capabilities of third-party mobile solutions," he laments. "This inability to deeply integrate with the operating system leaves mobile security vendors unable to scan the entire file system, to inspect network traffic, or to run behavioral detection technologies."
He cites the fragmented mobile ecosystem, and a lack of "enterprise-grade tools for mobile device management that would work consistently on multiple smartphone brands and models," as some of the most severe fault lines in mobile security today.
At the end of the day, "protecting the Vatican is a difficult challenge," Miracco concludes. "Samsung Knox is one step."