In a recent incident highlighting vulnerabilities in digital communication, several top national security officials inadvertently included a reporter in a Signal chat discussing military operations against Houthi sites in Yemen. This breach prompted the Pentagon to issue a department-wide advisory, cautioning against the use of the Signal Messenger Application, even for unclassified information.
The advisory, dated March 18, was obtained by NPR and outlines a critical vulnerability within the Signal Messenger. The memo states that Russian hacking groups are exploiting the app's 'linked devices' feature to monitor encrypted conversations. Google has also identified these Russian actors as actively targeting Signal users to spy on individuals of interest.
A prior memo released in 2023 cautioned against using Signal for any nonpublic official information, emphasizing the need for heightened awareness regarding potential threats. In response to growing concerns, a Signal spokesperson clarified that the Pentagon's memo does not reflect the app's security level but rather highlights the risks associated with phishing attacks. These attacks often involve hackers impersonating trusted entities to deceive users and gain access to sensitive data.
Following the identification of these threats, Signal implemented additional safeguards and in-app warnings to protect users from falling victim to phishing schemes. According to Signal spokesman Jun Harada, these improvements were completed months ago, underlining the company's commitment to user security.
The March 18 memo further clarifies that while third-party messaging apps like Signal are allowed for unclassified accountability and recall exercises, they are strictly prohibited from processing or storing nonpublic unclassified information. This guidance is particularly relevant in the context of sensitive discussions, such as those involving military operations.
The appropriateness of using Signal for sensitive discussions came under scrutiny after Defense Secretary Pete Hegseth and other national security leaders engaged in discussions regarding military action on the platform. The Atlantic's editor-in-chief, Jeffrey Goldberg, was accidentally included in this chat, gaining access to highly sensitive information.
In military parlance, the unauthorized sharing of classified data over insecure channels is referred to as 'spillage,' which can result in severe career repercussions for military personnel. A 2023 Defense Department memo explicitly prohibited the use of mobile applications for even controlled unclassified information, which is significantly less sensitive than real-time military operation data.
John Bolton, former national security adviser during the Trump administration, expressed astonishment at the situation, noting that it is highly unusual for high-ranking officials in defense, intelligence, and national security to share sensitive military intelligence through an unsecured forum. He remarked, “These are absolutely basic protocols, yet here we have Cabinet-level officials failing to question the appropriateness of using Signal for such discussions.”
It is worth noting that Katherine Maher, the CEO of NPR, chairs the board of the Signal Foundation, adding another layer of complexity to the situation. This incident serves as a crucial reminder of the importance of secure communications in national security operations.
