How volunteers protect the Pope from hackers and cyber attacks
Brabantine - Who defends the Pope against cyber attacks? The Vatican lacks the necessary expertise. However, a group of volunteer IT experts is ready to protect the church from hackers. Its founder explains the dangers in an interview.
Published on 08.10.2025 at 00:01 – by Felix NeumannThe Swiss Guard and the Gendarmerie Corps protect the Pope and the Vatican against traditional attackers. But when it comes to cyber security, there is a lack of expertise - no one in the Papal States is really responsible for defence against hackers. Yet the danger is great: various hacker groups have attacked the Vatican with varying degrees of success on more than one occasion. In order to protect the church against such dangers, a group of professional cyber security experts have come together to recognise dangers at an early stage and support the technicians in the Vatican in arming themselves against attacks on the systems - all on a voluntary basis: Dutch IT security expert Joseph Shenouda founded the "Vatican Cyber Volunteers" in 2022. In an interview with katholisch.de, he explains why the Vatican is so poorly positioned against modern threats - and how this could be changed.
Question: In the global Cybersecurity Index, the Vatican is in the worst category, along with countries such as Afghanistan and Yemen. Why is cyber security in the Vatican so bad?
Joseph Shenouda: The pace of cybersecurity is fast. Not in the Vatican. In addition, the Vatican is many things at once and many things come together there: there is the state of Vatican City, the Curia, the worldwide diplomatic network of the Church converges here, there is the Vatican Bank, donations are collected for the Church. All of this has somehow been brought online by someone at some point, and no one is centrally responsible for security - there is no Chief Information Security Officer (CISO) in the Vatican.
In 2020, Dutch IT security expert Joseph Shenouda founded the "Vatican Cyber Volunteers". Today, over 90 experts worldwide are volunteering to support the Vatican's cybersecurity.
Question: And the risks are not just theoretical. There have already been several attacks on the Vatican. How did they react?
Shenouda: Not at all. It started back in 2012, when Vatican Radio and the entire Vatican website were hacked. In 2020, there were the Chinese attacks on mail servers. In 2022, there were DDOS attacks, i.e. the attempt to paralyse the infrastructure with mass attacks after Pope Francis made critical comments about Russia's attack on Ukraine. We have also discovered that Wi-Fi access points have been installed around the Vatican in order to deceive Vatican employees: They then log into a network and think they are on the Vatican network, but they are actually on a network belonging to the attackers, who can then read everything. In 2024, the cyber security index came out - and the Vatican ended up in the worst category.
Question: Otherwise, the Vatican is actually in a good position: It has the Gendarmerie Corps and the Swiss Guard. Don't they do anything against cyber threats?
Shenouda: They don't have the equipment. The focus is on physical security. With cameras and security guards, they also cover such dangers very well. But on the invisible front of cyber threats, they are blank. The current head of security, Gianluca Gauzzi Broccoletti, is an expert in cyber security - but in his current role he is only responsible for physical security. Neither he nor his people have the resources for this. That's why we stepped in.
Question: But completely from the outside!
Shenouda: Exactly. We don't have the view from the inside. But that also means that we see what the hackers see. We see the same vulnerabilities - but we don't use them to attack. We document what we find and make sure that the Vatican's IT department knows what it takes to close the gaps. We do everything that an IT security department should actually do under a good CISO. And as long as that doesn't exist, we help out as volunteers.
Question: What can you do from the outside?
Shenouda: For example, we check all interfaces between the Vatican systems and the outside world - in other words, exactly what attackers can see. This allows us to identify some dangers: outdated, insecure software, accidentally exposed servers, for example. But we do even more: "threat intelligence", i.e. analysing dangerous situations. We keep an eye on what is currently happening in the world: Which malware is on the move, which groups are active, which data leaks - possibly involving access data for Vatican systems - are currently on the market. We also monitor the "dark web", i.e. areas of the internet that are not directly accessible. Ideally, this allows us to recognise dangers before they become acute.
Question: What is the current threat situation? What is currently the biggest threat to the Vatican?
Shenouda: With the new pope, we have a whole new level of threat. As soon as he was elected, the number of attacks increased. For example, there was a significant increase in phishing attacks, i.e. attempts to spy out access data. We have also noticed an increase in ideologically motivated attacks - both from religious groups and state-affiliated actors. So we are very vigilant at the moment.
Question: And is anyone in the Vatican listening to your warnings? Do you have any contacts?
Shenouda: Yes, we have been in contact with the Vatican from the very beginning. We initially had the opportunity to pass on information through a priest in our organisation who knows many people in Rome. We are now also in direct contact with the communications dicastery. This allows us to submit our warnings and proposed solutions directly. That's better than before, but it's not enough. The Vatican urgently needs a CISO.
Question: Are you being heard with this demand?
Shenouda: We have formulated our arguments and a plan on how to establish professional IT security in detail in a 60-page handout: How do you assess risks? What risks are there in the first place? What processes and structures are needed to plan new systems securely from the outset?
The rooms of the Vatican Bank IOR are located on five floors in the fortress-like tower of St Niccolo V directly below the Apostolic Palace. The systems of the Vatican Bank are an attractive target for cyber criminals.
Question: That sounds expensive - and the Vatican has money problems at the moment. Can the Vatican afford a cyber security department?
Shenouda: Can it afford not to have one? I also don't think that the Vatican would have to pay market prices. We have managed to conclude good contracts with providers, and many would also work on a donation basis if they could say that they are working with the Vatican. The biggest obstacle is not the money, but the fundamental decision: there needs to be a clear commitment to taking cyber security seriously on a structural level. Cyber security must be on the same level as physical security.
Question: You have already brought together many IT security experts who are involved in their spare time. What kind of people are they?
Shenouda: We come from all over the world - Poland, Canada, the USA, Italy,These are people from all areas of cyber security. Men and women, Catholics and non-Catholics.
Question: And you yourself?
Shenouda: I come from the Netherlands and have been doing cyber security for over 20 years. My company advises clients from all sectors of the economy worldwide. We analyse vulnerabilities, respond to security incidents and develop strategies to defend against cyber threats.
Question: And why are you involved with the church?
Shenouda: I am a Copt. My family lives in Amsterdam, where we didn't have a Coptic church, so I grew up in the Catholic Church in the early years of my life. I went to school with the Poor Clares. It wasn't until I was seven or eight years old that there was a Coptic parish in Amsterdam. I later became a deacon there. But at first I knew nothing other than the Catholic Church. I still appreciate the services in the Catholic church to this day. In a way, I was born into both churches. The Coptic Church is the church of my origin and is very good at preserving the Egyptian culture and tradition of my family. But in the Catholic Church I have always found a spirituality that has helped me to come closer to God. What I appreciate about the Catholic Church is that it is a world church - the Coptic Church is very much centred on Egypt and the Egyptian diaspora. I have also always been involved in the Catholic Church. I helped the Poor Clares with IT projects, for example, with setting up websites. My commitment to the Catholic Church runs like a red thread through my life, even though I am a Copt.
Question: And if the Pope asked you if you would like to become Chief Information Security Officer of the Vatican - would you say yes?
Shenouda: Yes, of course. I already have a good overview of the systems and risks. But I'm very realistic about it: the CISO has to speak Italian. I could probably learn that more or less quickly, but you need someone who can speak to everyone straight away - there are so many issues that need to be dealt with immediately. This is a task that is better taken on by someone who is already working in or around the Vatican and who can take care of it completely straight away. If I can help then: With pleasure!
AI-International
English.katholisch.de provides selected news and topics from katholisch.de translated into English with the help of artificial intelligence (AI) implemented as an additional online service into the editorial system of katholisch.de. This way the majority of the daily news produced by the journalists on the editorial team of katholisch.de are now available for more readers around the globe.