When the Vatican goes offline, it doesn’t just pray – it protects. As the Church prepares to elect a new pope, the world’s tiniest nation is becoming a digital fortress.
As the conclave gathers in isolation for what could be the biggest papal election in decades, will the Holy See be able to protect themselves should another threat come knocking?
In May 2020, when a Chinese hacker group known as RedDelta allegedly infiltrated the Vatican’s computer networks, the Chinese state was on a mission to get a foothold in talks over who really gets to run the Catholic Church in China.
When such a threat comes surging down your wires, you wouldn’t expect the holiest place on Earth to be capable of a rebuff. Yet, it happened, and with expert know-how.
What happened in the 2020 attack?
The attack occurred during sensitive negotiations between the Vatican and Beijing over the appointment of bishops in China.
In China, there’s a state-run organization, called the Chinese Patriotic Catholic Association (CPCA), which appoints bishops without the Vatican’s approval, thereby having a Catholic Church loyal to the communist party.
The RedDelta hackers used spear-phishing emails masquerading as official Vatican communications.
The emails contained malware-laced documents with content tailored towards Vatican related themes like Catholic teachings or diplomatic discussions.
This wasn’t just spying on the Vatican for the sake of it, it was a geopolitical tug-of-war over the control and legitimacy in catholic life inside China.
Historically, the Vatican hadn’t commented on cybersecurity issues and this was one of the few instances of their defences being breached.
And though there was no public comment about the attacks, this breach, along with the hire of a cybersecurity expert they made shortly before that, helped accelerate investment from the state and ramped up protection as a priority.
Cybersecurity overhaul
Just a few months before the cyberattack, in October 2019, the Vatican appointed Gianluca Gauzzi Broccoletti as its Director of Security Services.
Broccoletti brought robust and vigorous experience from previous roles in Italian law enforcement and cybersecurity.
Under his leadership, the team modernized the Papacy's setup, with a strong emphasis on AI-powered threat analysis and digital forensics.
Though not solely responsible for repelling the Chinese attacks, Broccoletti and his team have a credible example of holding the fort of a very high-value target of papal communications, diplomatic messages, and archival communications.
They were integral to safeguarding the very fabric of the Holy See's global diplomatic influence and religious integrity.
Internal leaks and external threats
As well as having to level up digitally due to the RedDelta attacks, there have been previous instances of leaks internally in the Vatican.
Whistleblowers in 2012 and 2015 leaked private documents showing financial corruption and internal power struggles.
Vatican officials and journalists were even convicted, which sowed the seeds of their communications mechanism coming into the public eye and being largely condemned, both nationally and internationally.
And, aside from what happened with RedDelta in 2020, there are alleged cyber threats further afield, like in Vietnam with the APT32 group (OceanLotus) or another Chinese hacking group APT10 (Stone Panda).
Neither of these groups have explicitly attacked the Vatican so far, but it remains an obvious target, considering the groups’ predilection for targeting entities with diplomatic and political influence.
Will the conclave be safe?
Historically, the Papal State has upheld the sanctity of personal dignity. As Pope Francis steered the Church into the 21st century, it now faces the ethical dilemma of balancing the need for security through monitoring communications while respecting personal freedoms.
Now, the Church's momentous task of selecting a new Pope through the papal conclave means keeping everything under wraps, while constantly evolving hacking and surveillance techniques require a strengthening of the digital fort.
No phones are allowed in the Vatican, meaning that traditional leaks are highly unlikely.
Furthermore, opaque privacy film is applied to the windows, and the selection conclave is forbidden from even glancing outside during the voting process.
The 650 cameras monitoring the streets of the Vatican, along with armed Swiss guards, constantly monitor for any suspicious physical threats.
The conclave itself likely operates in a strictly offline environment with no networks and digital communication whatsoever, which in effect is cybersecurity through total isolation.
Signal jammers are also part of the protective system, as data exfiltration and remote attacks via Bluetooth, WiFi, and mobile networks are formidable to penetrate.
The Gendarmerie’s cybersecurity division has ramped up digital shielding using encrypted messaging protocols, endpoint monitoring tools, air-gapped systems, and AI-driven surveillance to detect and neutralize threats before they manifest.
The 2020 experience with RedDelta could be considered a necessary sin, especially as Broccoletti and his team have since been able to beef up the defences, including detection systems, endpoint monitoring, and encrypted communications.
So, as the selection process for the new Pope is soon to begin, the candidates and committee can thank the digital overlord for keeping them in safe hands.
Your email address will not be published. Required fields are markedmarked