On Monday, editor-in-chief of The Atlantic Jeffrey Goldberg revealed that he had apparently been added to a group chat on the encrypted app Signal between high-level U.S government officials planning a military operation over the weekend. Virginia Tech cybersecurity and social platform experts France Bélanger, Aaron Brantly, Jimmy Ivory and Anthony Vance explain what Signal is, how it works, and how such a breach of national security could happen.
Signal’s end-to-end encryption makes it the most secure messaging app available to civilians, and the Senate has approved Signal for staff use in the past. “In general, it is a more secure way to communicate compared to other apps and tools,” says Bélanger.
But using it for official government communications makes those conversations vulnerable to advanced spyware technologies.
“The application, while excellent for safeguarding communications of human and democracy rights activists, has not been verified for use within the U.S. Intelligence Community,” says Brantly.
“The leak highlights the role of human error in security leaks and breaches. While Signal may not be the ideal platform for communicating sensitive national security information, this leak was caused by user error rather than a technical limitation of the platform’s security features,” Ivory said. “Such an error is not unprecedented. In 2023 security information was accidentally leaked because of mistyped email addresses, and in 2021, it was found the military institutions in Europe were using relatively unsecure platforms for sensitive communication.”
According to the Verizon 2024 Data Breach Investigations Report, 68% of cybersecurity breaches involve the human element, which involves people being tricked. But another 28% of incidents were due to errors that people made. Meanwhile, an IBM Cyber security intelligence report claims up to 95% of security breaches are caused by human error.
“Signal is not an appropriate channel to have these discussions because of the lack of process and procedures to ensure that communications are handled appropriately,” says Vance. “Including a member of the press in this discussion is Exhibit No. 1 for why these processes and procedures are important.”
Signal works the same way as standard messaging apps on iOS, Android, or WhatsApp, making accidentally adding someone “absolutely easy to do,” says Bélanger.
This is especially true “if the included journalist’s name or number is similar to a person intended to be included in the group,” says Vance. “This, again, highlights the need for formal processes and procedures.”
“The practice of not using SCIFs (Secure Compartmented Information Facilities) for the planning and implementation of conflict with a foreign state is an egregious breach of national security protocols, said Brantly. “That the principals group was using this as a means of communications is a profound violation of US classification laws and standards and constitutes a grave threat to U.S. national security.”
