The scandals involving the tapping of politicians, NGOs and journalists by the NSO Group's Pegasus programme have raised several questions about how ministers and senior officials in Luxembourg protect their digital devices.
Questioned by Paperjam, several ministries remained silent or evasive. The ministry of the economy did not answer, while the ministry for digitalisation referred the question to the media and communications service (which is run by the ministry of state), which in turn referred the question to the ministry for digitalisation and the government IT centre. The loop was closed, but no real answer was given.
MP Viviane Reding (CSV) has now received some additional explanations in a reply to her parliamentary question based on the article subsequently published by Paperjam and Delano.
"The hacking of Facebook accounts and the recent revelations concerning Pegasus software have not had any particular impact on the security architecture," Xavier Bettel (DP) wrote in his reply to Reding.
The prime minister, who is in charge of the digitalisation portfolio, stressed that all civil servants are obliged to observe a good conduct code regarding electronic communications. Without going into technical details that require a certain amount of discretion, the prime minister emphasised that “the state provides each member of the government with the technical and logistical means necessary for the exercise of his or her function”.
A lost or stolen communication tool can be deleted via the MDM.
With regard to the use of digital devices, the government commissioner for data protection at the state and the national agency for security of information systems (ANSSI) recommend the "careful and restrained use of commercial services or applications". The two bodies recommend the use of solutions chosen by the government IT centre (CTIE). The latter offers modern communication tools for all departments and administrations that use its services, but does not cover the use of communication services such as WhatsApp or the use of social networks.
Bettel specified that all mobile phones and tablets made available by the CTIE to members of the government, as well as to senior civil servants, are operated and managed by a central management infrastructure (MDM) "enabling the implementation of an appropriate level of security". This includes the encryption of all information.
Thus, according to the prime minister, “a lost or stolen communication tool can be erased via the MDM”.
Last April, the telephone numbers of several political figures including Bettel, foreign minister, Jean Asselborn (LSAP), minister for the economy, Franz Fayot (LSAP), minister for small and medium-size enterprises and tourism, Lex Delles (DP), and the leader of the Pirate Party, Sven Clement, were included in the list of 530 million accounts whose data was stolen from Facebook.