The source NYT article has some more details, but not enough to answer these questions:
One of Mr. Guzmán’s Colombian suppliers, Jorge Cifuentes,
who introduced the kingpin to the I.T. expert, testified
last month that Mr. Rodriguez had promised to arrange
secure communications for what amounted to the entire
cartel’s leadership. His system operated on VoiP, or voice
over internet protocol, Mr. Marston said on Tuesday, and
was accessible only to those within the network. According
to Mr. Cifuentes, Mr. Guzmán was able to sign in through
Wi-Fi even from his hide-outs in the Sierra Madre
Fairly easy to maintain + grow once you get some basics out of the way. The net result is that all the signaling + transport is encrypted as far as non-VPN nodes are concerned.
Yealink T23P Phones have a OpenVPN client built in (some newer Grandstream phones do too), these are relatively inexpensive VoIP desk phones. Once you configure them, and an OpenVPN server you can plug them anywhere you have internet (NAT'ed or otherwise), and not have to worry about NAT Traversal, or other issues.
Asterisk is just running on a stock PC. I'm running on a Supermicro Board with an Atom processor, and for our call volume (50 extension phones, 23 inbound lines, 30 on an inbound call queue, 3 simultaneous calls average, 15 @ our known peak, no transcoding (all uLaw)). The OpenVPN server is a a separate machine, for lighter usage the VPN + Asterisk could probably be the same machine.
For the cell phone, I have CSipSimple running there, with a OpenVPN client to connect to the network.
In my configuration, the phones + Asterisk are not using SSL/TLS directly, but the VPN secures the traffic over untrusted LANs.
Calls within the system are on the protected LAN, but once they reach out to the PSTN, all bets are off.
I've setup a smaller office with a Raspberry Pi 3, and a Grandstream SIP/Analog Gateway, ( 7 Grandstream phones, 3 lines, no transcoding, not very heavy use), and they haven't had any complaints. (see http://www.raspberry-asterisk.org/) If they used SIP trunking over their internet connection, they woulden't need the SIP/Analog gateway, which was the single most expensive piece of equipment in this setup (@ US$399-ish)
I wonder if the encryption here is just SRTP/ZRTP.
Edit - found the article:
It's interesting how even such a serious situation as this can have these moments of laughter.
Then cryptoanalysis becomes O(n)
Jorge Salcedo that took down Cali cartel got million$ for his cooperation.
Do you have any source for that? because I read recently an interview  with the guy and I didn't get the impression he was so well financially.
 - https://ew.com/tv/2017/09/03/narcos-jorge-salcedo-interview/
"Thanks to Salcedo, the entire Cali cartel hierarchy was extradited. For his service, the relocated Colombian received rewards of about $1.7 million."
Not sure if he gets any ongoing salary...but paying makes sense for the Feds in every way. They save resources since the boss will be jailed and collect cash in fines.
They don't have infinite resources. And if they can't get at a person easily, trivially even, maybe it's just not worth the effort a lot of the time. Especially once the damage has been done.
 - https://en.wikipedia.org/wiki/List_of_criminal_enterprises,_...
0 - http://interactives.dallasnews.com/2016/chapa/
1 - https://www.texasmonthly.com/articles/the-cartel-next-door/
I guess that Sinaloa will put this guy #1 or close to it (maybe the Flores twins beat them to #1) on their revenge list. 20-50 kilos of cocaine to the sicarios...a drop in the bucket since they buy for $2k a kilo or so.
No matter the technological sophistication, humans will always be the weakest link in any secure system.