“Circumstances have changed,” recalls the Court of Auditors in its last motion on the financing of political parties. The agency points to the grant for security expenses received by the formations that obtain representation in national or local elections. It was approved in 2002 and was intended to protect councilors from ETA terrorism. 2021 has been a decade since the gang’s armed activity ceased, but the conditions of the subsidy have not been updated and it is common for parties to return a large part of that item for not having used it.
Madrid paid 225,000 euros to Indra for the system that leaked personal data due to a “rookie” error
In this situation, the Court of Auditors asks them “reconsider the material and economic convenience of maintaining the subsidy in current conditions” and recommends directing it towards “the risks and threats” of “current times”, which are none other than “cyberattacks, phishing or identity theft, or eventual access to the personal information of affiliates and supporters or their political positions “.
Spanish politicians have suffered this type of cyber attack in recent years. Representatives of Catalan nationalist parties have been targets of the Pegasus spy program, capable of recording calls, messages and any type of information that the victim stores on their mobile phone. At the institutional level, in 2021, multiple ministries and public agencies have also suffered infections of ransomware, which encrypts the files on the device and asks for a ransom to recover them. Work and the SEPE were paralyzed for weeks by attacks of this nature.
The party security subsidy, as currently proposed, is annual and is managed through the Ministry of the Interior. Since 2003, the General State Budgets have allocated 59.3 million euros to this item, between 2 and 4 million a year. According to him latest Quarterly balance of the department headed by Fernando Grande-Marlaska, published in July, the party that recorded the most spending on security was the PSOE (185,000 euros), followed by the PP (150,000), Vox (100,000) and Unidos Podemos (62,000).
However, and despite the fact that cyber threats are present for all public positions, it is common for parties to not take advantage of the security grant. Up to 12 trainings (40%) of those audited in the last year analyzed by the Court of Auditors ended up returning part of this allocation due to not having spent it.
The law specifies that two of the concepts in which it can be used are “software for the protection of information” and “hardware related to security”, but the bulk of the funding is intended for the physical protection of political representatives . Both in the headquarters of the parties (security personnel and equipment, such as security glass) and in public events, as well as in their own personal integrity (bodyguards, armored vehicles or signal inhibitors).
“Today, for any citizen, it is much more likely to suffer an assault through the mobile phone than in the street at knife point,” explains Miguel Ángel Domínguez, director of Add4u, a consultancy specializing in the robotization of public processes that he works regularly in public office. “There is a very common phrase which is I don’t know anything about computing. That should disappear from the realm of political parties. Our representatives should have an obligation to be aware of the cybersecurity risks to which they are exposed. ”
Our representatives should have an obligation to know the cybersecurity risks to which they are exposed
Domínguez emphasizes that the most important field where he can deepen a remodeling of spending on party security is that of “training in cybersecurity” and that these have “a certain impact.” “Any mayor or councilor of a small municipality has to understand that depending on what he does, he could be putting information and personal data at risk that could cause a problem in his municipality.”
Any citizen is exposed to this type of attack. However, public positions are even more so, since on many occasions their email addresses are public and their daily activity is disseminated through social networks. This makes it much easier for a cyber attacker to design a customized attack against that particular politician (with a credible hook for them to click on a link, for example), which multiplies the chances that the offensive will be successful.